Risks
Advisories
Browse
or
or
HP Security Bulletin - HP Integrated Lights-Out iLO3 and iLO4 using Single-Sign-On (SSO), Remote Unauthorized Access (HPSBHF02885)
HPSBHF02885 rev.2 - HP Integrated Lights-Out iLO3 and iLO4 using Single-Sign-On
(SSO), Remote Unauthorized Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as
possible.
Release Date: 2013-06-11
Last Updated: 2013-06-17
Potential Security Impact: Remote unauthorized access
Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Integrated Lights-Out
iLO3 and iLO4 using Single-Sign-On (SSO). The vulnerability could be remotely
exploited resulting in unauthorized access.

References: CVE-2013-2338 (SSRT101180)
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Integrated Lights-Out 3 (iLO3) firmware versions prior to v1.57. 
HP Integrated Lights-Out 4 (iLO4) firmware versions prior to v1.22.

BACKGROUND
For a PGP signed version of this security bulletin please write to:
security-alert@hp.com

CVSS 2.0 Base Metrics

Reference; Base Vector; Base Score
CVE-2013-2338; (AV:N/AC:M/Au:N/C:C/I:C/A:C); 9.3

Information on CVSS is documented in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has made the following Firmware updates available to resolve the vulnerability.

The latest firmware and installation instructions are available from the HP Business
Support Center: http://www.hp.com/go/bizsupport

HP Integrated Lights-Out 4 (iLO4) Online ROM Flash Component for Linux and Windows
v1.22 or subsequent.

HP Integrated Lights-Out 3 (iLO3) Online ROM Flash Component for Linux and Windows
v1.57 or subsequent.

Note: Due to an unexpected delay in the iLO3 v1.57 firmware release, please use the
following temporary FTP site for downloading the update...

FTP System: ftp.usa.hp.com (15.192.32.78 or 15.193.0.64)

Login: ilo3_157 
Password: G!v3t2me

Note: login and password are CASE-sensitive.

HISTORY 
Version:1 (rev.1) - 11 June 2013 Initial release 
Version:2 (rev.2) - 17 June 2013 Added temporary FTP access for the v1.57 update

Third Party Security Patches: Third party security patches that are to be installed
on systems running HP software products should be applied in accordance with the
customer's patch management policy.

Support: For issues about implementing the recommendations of this Security Bulletin,
contact normal HP Services support channel. For other issues about the content of
this Security Bulletin, send e-mail to security-alert@hp.com.

Report: To report a potential security vulnerability with any HP supported product,
send Email to: security-alert@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts
via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin Archive: A list of recently released Security Bulletins is
available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive

Software Product Category: The Software Product Category is represented in the title
by the two characters following HPSB.

3C = 3COM 
3P = 3rd Party Software 
GN = HP General Software 
HF = HP Hardware and Firmware 
MP = MPE/iX 
MU = Multi-Platform Software 
NS = NonStop Servers 
OV = OpenVMS 
PI = Printing and Imaging 
PV = ProCurve 
ST = Storage Software 
TU = Tru64 UNIX 
UX = HP-UX

System management and security procedures must be reviewed frequently to maintain
system integrity. HP is continually reviewing and enhancing the security features of
software products to provide customers with current secure solutions.




Spotlight

Attackers use reflection techniques for larger DDoS attacks

Posted on 17 April 2014.  |  Instead of using a network of zombie computers, newer DDoS toolkits abuse Internet protocols that are available on open or vulnerable servers and devices. This approach can lead to the Internet becoming a ready-to-use botnet for malicious actors.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Apr 18th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //