HP Security Bulletin - HP Integrated Lights-Out iLO3 and iLO4 using Single-Sign-On (SSO), Remote Unauthorized Access (HPSBHF02885)
HPSBHF02885 rev.2 - HP Integrated Lights-Out iLO3 and iLO4 using Single-Sign-On
(SSO), Remote Unauthorized Access
NOTICE: The information in this Security Bulletin should be acted upon as soon as
Release Date: 2013-06-11
Last Updated: 2013-06-17
Potential Security Impact: Remote unauthorized access
Source: Hewlett-Packard Company, HP Software Security Response Team

A potential security vulnerability has been identified with HP Integrated Lights-Out
iLO3 and iLO4 using Single-Sign-On (SSO). The vulnerability could be remotely
exploited resulting in unauthorized access.

References: CVE-2013-2338 (SSRT101180)
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Integrated Lights-Out 3 (iLO3) firmware versions prior to v1.57. 
HP Integrated Lights-Out 4 (iLO4) firmware versions prior to v1.22.

For a PGP signed version of this security bulletin please write to:

CVSS 2.0 Base Metrics

Reference; Base Vector; Base Score
CVE-2013-2338; (AV:N/AC:M/Au:N/C:C/I:C/A:C); 9.3

Information on CVSS is documented in HP Customer Notice: HPSN-2008-002
HP has made the following Firmware updates available to resolve the vulnerability.

The latest firmware and installation instructions are available from the HP Business
Support Center: http://www.hp.com/go/bizsupport

HP Integrated Lights-Out 4 (iLO4) Online ROM Flash Component for Linux and Windows
v1.22 or subsequent.

HP Integrated Lights-Out 3 (iLO3) Online ROM Flash Component for Linux and Windows
v1.57 or subsequent.

Note: Due to an unexpected delay in the iLO3 v1.57 firmware release, please use the
following temporary FTP site for downloading the update...

FTP System: ftp.usa.hp.com ( or

Login: ilo3_157 
Password: G!v3t2me

Note: login and password are CASE-sensitive.

Version:1 (rev.1) - 11 June 2013 Initial release 
Version:2 (rev.2) - 17 June 2013 Added temporary FTP access for the v1.57 update

Third Party Security Patches: Third party security patches that are to be installed
on systems running HP software products should be applied in accordance with the
customer's patch management policy.

Support: For issues about implementing the recommendations of this Security Bulletin,
contact normal HP Services support channel. For other issues about the content of
this Security Bulletin, send e-mail to security-alert@hp.com.

Report: To report a potential security vulnerability with any HP supported product,
send Email to: security-alert@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts
via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin Archive: A list of recently released Security Bulletins is
available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive

Software Product Category: The Software Product Category is represented in the title
by the two characters following HPSB.

3C = 3COM 
3P = 3rd Party Software 
GN = HP General Software 
HF = HP Hardware and Firmware 
MP = MPE/iX 
MU = Multi-Platform Software 
NS = NonStop Servers 
OV = OpenVMS 
PI = Printing and Imaging 
PV = ProCurve 
ST = Storage Software 
TU = Tru64 UNIX 

System management and security procedures must be reviewed frequently to maintain
system integrity. HP is continually reviewing and enhancing the security features of
software products to provide customers with current secure solutions.


eBook: Cybersecurity for Dummies

Posted on 16 December 2014.  |  APTs have changed the world of enterprise security and how networks and organizations are attacked. These threats, and the cybercriminals behind them, are experts at remaining hidden from traditional security while exhibiting an intelligence, resiliency, and patience that has never been seen before.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Dec 18th