- Ilo 3 License Key
- Ilo 4 License Cost Of State
- Ilo 4 Advanced License Price
- Ilo 2 License
- Ilo 4 License Price
Integrated Lights-Out, or iLO, is a proprietary embedded server management technology by Hewlett-Packard which provides out-of-band management facilities. The physical connection is an Ethernet port that can be found on most Proliant servers and microservers[1] of the 300 and above series.
iLO has similar functionality to the lights out management (LOM) technology offered by other vendors, for example Sun/Oracle's LOM port, Dell DRAC, the IBM Remote Supervisor Adapter and Cisco CIMC.
Features[edit]
iLO makes it possible to perform activities on an HP server from a remote location. The iLO card has a separate network connection (and its own IP address) to which one can connect via HTTPS. Possible options are:
- Featuring the latest innovations in simplified operations, performance, and security, HPE iLO allows you to manage your entire server environment with ease. Upgrade your iLO license for additional functionality, such as graphical remote console, multi-user collaboration, video record/playback, remote management, and much more.
- Need to secure your server and remotely manage it? The HPE iLO Advanced license offers security and smart remote functionality without compromise for HPE ProLiant Servers. This license includes the full suite of HPE iLO server management capabilities that offer users enhanced security, improved efficiency and ease of server management. The Integrated Remote Console feature unlocked by this.
- Reset the server (in case the server doesn't respond anymore via the normal network card)
- Power-up the server (possible to do this from a remote location, even if the server is shut down)
- Remote system console (in some cases however an 'Advanced license' may be required for some of the utilities to work)
- Mount remote physical CD/DVD drive or image
- Access the server's Integrated Management Log (IML)
- Can be manipulated remotely through XML-based Remote Insight Board Command Language (RIBCL)
- Full command-line interface support through RS-232 port (shared with system), though the inability to enter function keys prevents certain operations
Cost: In order to benefit from the iLO vKVM features, there is a licenses fee. While the license itself can be bought from $130, the true cost of using iLO can easily total over $400 per server when you include all the hidden costs.
iLO provides some other utilities like virtual media (CD, floppy), virtual power and a remote console. iLO is either embedded on the system board, or available as a PCI card.
Availability[edit]
iLO is embedded or available on some HP ProLiant and Integrity servers.
Prior to iLO, Compaq created several other lights out management products. The original was the Remote Insight Board (RIB), which was available as an EISA or PCIexpansion card. RIB was replaced with RILOE (Remote Insight Light-Out Edition), which was only available for PCI. The original RILOE was replaced with RILOE II. HP stopped manufacturing RILOE II in 2006. The final firmware version for RILOE is 2.53(A) dated 9 Mar 2004 and for RILOE II is 1.21 dated 5 July 2006.
For some ProLiant 100 series servers there is a 'Lights Out 100' option, which has more limited functionality. The LO100 is a traditional IPMIBMC, and does not share hardware or firmware with iLO.
There is also a version of iLO for HP Moonshot systems referred to as iLO Chassis Management which is often abbreviated as iLO CM. The Chassis Management version of iLO was derived from iLO 4.[2] As of June 2018 the most recent Chassis Manager Firmware available is version 1.56 which was released as part of the Moonshot Component Pack 2018.02.0.[3]
Versions[edit]
There have been multiple generations of iLO, each generation noted by a single digit number ('iLO 2'). Some generations of iLO are segmented into different editions, based on what features are licensed.[4] iLO includes updatable firmware, for which HP periodically releases new versions.
Name | Servers | SW & FW | Latest Firmware | Comments |
---|---|---|---|---|
iLO | ProLiant G2, G3, G4, and G6 servers, model numbers under 300 | support | 1.96 released 30 April 2014 | |
iLO 2 | ProLiant G5 and G6 servers, model numbers 300 and higher | support | 2.33 released 30 March 2018 | |
iLO 3 | ProLiant G7 servers | support | 1.91 released 20 November 2018 | |
iLO 4 | ProLiant Gen8 and Gen9 servers | support | 2.70 released 14 May 2019 | |
iLO 5 | ProLiant Gen10 servers[5] | support | 1.46 released 16 August 2019 |
Programming Interfaces[edit]
Several APIs exist for interacting with HP iLO:
- Perl: Net::ILO
- Python: python-hpilo
- Ruby: ILOrb
- Powershell: HPE Scripting Tools for Windows Powershell
See also[edit]
- Intel Active Management Technology (iAMT)
References[edit]
- ^'HPE ProLiant MicroServer Generation 8 (Gen8)'. Hewlett Packard Enterprise. 23 October 2017. Archived from the original(pdf) on 31 October 2017. Retrieved 31 October 2017.
- ^http://h17007.www1.hpe.com/docs/enterprise/servers/moonshot/webhelp/content/s_The_difference_between_iLO_CM_and_HP_iLO_201303191456.html
- ^https://support.hpe.com/hpsc/doc/public/display?docId=a00044906en_us
- ^'HP Integrated Lights-Out (iLO) features comparison'. HP ProLiant Servers. Hewlett Packard Enterprise. 26 April 2012. Archived from the original on 26 January 2012. Retrieved 30 October 2017.
- ^New iLO 5 for ProLiant Gen10 demo on YouTube
- Remote management, Integrated Lights-Out products at hp.com
External links[edit]
Retrieved from 'https://en.wikipedia.org/w/index.php?title=HP_Integrated_Lights-Out&oldid=913663714'
Introduction
iLO
is the server management solution embedded in almost every HPE
servers for more than 10 years. It provides every feature required by a systemadministrator to remotely manage a server without having to reach itphysically. Such features include power management, remote system console,remote CD/DVD image mounting, as well as many monitoring indicators.Ilo 3 License Key
We've performed a deep dive security study of
HPE iLO4
(known to be used onthe family of servers HPE ProLiant Gen8
and ProLiant Gen9
servers) andthe results of this study were presented at the REcon conference held inBrussels (February 2 - 4, 2018, see [1]).A follow-up of our study was presented at the SSTIC conference, held inFrance (Rennes, June 13 - 15, 2018, see [8]). We focused this talk onfirmware backdooring and achieving long-term persistence.
In November 2018, we presented our latest research on
HPE iLO4
andiLO5
at ZeroNights conference, held in Saint-Petersburg, Russia(November 20 - 21, 2018, see [11]). This talk was focused on the attacksurface exposed to the host operating system and on the new secure bootfeature (silicon root of trust) introduced with iLO5
.iLO4
runs on a dedicated ARM
processor embedded in the server,and is totally independent from the main processor. It has a dedicated flashchip to hold its firmware, a dedicated RAM chip and a dedicated networkinterface. On the software side, the operating system is the proprietary RTOSGreenHills Integrity [2].Results
One critical vulnerability was identified and reported to the
HPE PSRT
inFebruary 2017, known as CVE-2017-12542
(CVSSv3
base score 9.8 [3]) :- Authentication bypass and remote code execution
- Fixed in
iLO4
versions2.53
(released in May 2017, buggy) and2.54
[4]
A second critical vulnerability was identified in
iLO4
and iLO5
. Itwas reported to the HPE PSRT
in April 2018 and is known asCVE-2018-7078
(CVSSv3
base score 7.2 [9], HPE
Security BulletinHPESBHF03844
[10]) :- Remote or local code execution
- Fixed in
iLO4
version2.60
(released in May 2018) - Fixed in
iLO5
version1.30
(released in June 2018)
Finally a critical vulnerability was identified in the implementation of thesecure boot feature of
iLO5
. It was reported to the HPE PSRT
inSeptember 2018 and is known as CVE-2018-7113
(CVSSv3
base score 6.4 [12],HPE
Security Bulletin HPESBHF03894
[13]):- Local Bypass of Security Restrictions
- Fixed in
iLO5
version1.37
(released in October 2018)
Slides and demos
REcon Brussels 2018
The slides from our REcon talk are available here . They cover thefollowing points:
- Firmware unpacking and memory space understanding
- GreenHills OS Integrity internals:
- kernel object model
- virtual memory
- process isolation
- Vulnerability discovery and exploitation
- Demonstration of a new exploitation technique that allows tocompromise the host server operating system through DMA.
To illustrate them, we also release the three demos as videos. The first onedemonstrates the use of the vulnerability we discovered to bypass theauthentication from the RedFish API:
In the second one we show how the vulnerability can also be turned into anarbitrary remote code execution (
RCE
) in the process of the web server;allowing read access to the iLO
file-system for example.Finally, in the third videos, we leverage this
RCE
to exploit an iLO4
feature which allows us to access (RW
) to the host memory and inject apayload in the host Linux kernel.SSTIC 2018
The slides from our SSTIC talk are available at this location (moredetails can be found in the paper). After a brief recap of our REcontalk, we propose the following new materials:
- Firmware security and boot chain analysis
- Backdoor architecture
To illustrate these works, we release a new demo as video. It demonstratesthe use of the vulnerability we discovered in the web server to flash a newbackdoored firmware. Then we demonstrate the use of the DMA communicationchannel to execute arbitrary commands on the host system.
ZeroNights 2018
The material we presented at ZeroNights is available from there. Itcontains two major contributions.
First, an analysis of the communication channel between the host system andthe
iLO
(4
or 5
), known as CHIF
channel interface. It opens anew attack surface, exposed to the host (even though iLO
is set asdisabled). We demonstrated that the exploitation of CVE-2018-7078
couldallow us to flash a backdoored firmware from the host through this interface.Then, an in-depth review of the new secure boot feature introduced with
iLO5
and HPE Gen10
server line. It covers the complete bootchain, fromthe iLO ASIC
(silicon root of trust) down to the Integrity
kernel anduserland images. We discovered a logic error (CVE-2018-7113
) in the kernelcode responsible for the integrity verification of the userland image, whichcan be exploited to break the chain-of-trust.To illustrate this defeat of the secure boot feature, we propose the new videobelow. It demonstrates the exploitation of the logic error to update the
iLO5
firmware with a compromised firmware embedding a backdoored userlandimage in which the banner of the SSH
server has been altered.A proof of concept implementing the secure boot bypass alone is available in
ilo5_PoC_secure_boot_bypass.py
. The fum
vulnerability and HP Signed File
signature bypass is demonstrated in ilo5_PoC_fum_sig_bypass.py
.Insomni’Hack 2019
The slides from our talk at Insomni’Hack, available from this link,intend to wrap-up most of our work on the
iLO 4
and 5
systems. Adobe barcode generator.A brief analysis of the anti-downgrade feature is introduced, as well as ateaser on the whitepaper we published in collaboration with Adrien Guinet(from Quarkslab) on How to defeat NotPetya from your iLO4.
Related works
A critical vulnerability was identified by Nicolas Iooss from The FrenchNational Cybersecurity Agency (ANSSI) in the
SSH
service of iLO3
,iLO4
and iLO5
. It was reported to the HPE PSRT
in April 2018 andis known as CVE-2018-7105
(CVSSv3
base score 7.2 [14], HPE
Security Bulletin HPESBHF03866
[15]) :- Remote execution of arbitrary code, local disclosure of sensitive information
- Fixed in
iLO3
version1.90
(released in August 2018) - Fixed in
iLO4
version2.61
(released in September 2018) - Fixed in
iLO5
version1.35
(released in August 2018)
Thank you Nicolas for sharing test and exploitation scripts for this issue.
Using this vulnerability it is also possible to play with
PCILeech
onHP iLO4
without the need for a modified firmware. Although very slow fora big memory dump, it works very well when targeting specific memory location, asdone by the Windows KMD load in PCILeech
. See the PCILeech HP iLO4Service
repository [16].Tooling
To support our research we've developed scripts and tools to help usautomatize some tasks, especially firmware unpacking and mapping.
Firmware
ilo4_extract.py
script takes an HP Signed file
as input (obtained fromthe update package). It is invoked with:Extract from the output log:
From the extracted file,
ilo0.bin
is the Integrity
applicative image(userland). It contains all the tasks that will run on the iLO
system. Toparse each of these tasks and generate the IDA Pro
loading script, one canuse the script dissection.rb
.It relies upon the
Metasm
framework [5] and also requires the Bindata
library [6].Back to the kernel image,
ilo4_extract.py
told us that:Using
IDA Pro
to load the extracted file ilo1.bin
at 0x20001000
asARM
code, one can also study the Integrity
kernel.secinfo4.py
parses the section information embedded into the kernel imageand creates the appropriate memory segment in the disassemblerparse_mr.py
dumps the registeredMemory Region
objects
iLO5
format differs slightly but is supported as well. ilo5_extract.py
and dissection.rb
scripts can be used in the same way as for iLO4
toextract the Integrity
applicative image.Firmware backdooring
The
insert_backdoor.sh
script can be run on a legitimate firmware file toadd a backdoor in the webserver module. The backdoor can then be used usingthe backdoor_client.py
script.Forensics
The
exploit_check_flash.py
script can be run against an instance of HPiLO4
vulnerable to CVE-2017-12542
. Its purpose it to dump the content ofthe flash and then compare its digest with a known 'good' value.Network
Finally, to help people scan for existing vulnerable
iLO
systems exposed intheir own infrastructures, we release a simple Go
scanner. It attempts tofetch a special iLO
page: /xmldata?item=ALL
; if it exists, then itextracts the firmware version and HP server type.First edit the '
targets
' variable in the code and specify the internalIP
ranges you want to scan.Then compile the code for your OS/architecture.
For example:
Then look the result in
/tmp/iloscan.log
(can be changed in the source):Alternatively, you can invoke the binary with a subnet on the command line (individual IP addresses should be specified as a /32 netmask):
Authors
- Fabien PERIGAUD -
fabien [dot] perigaud [at] synacktiv [dot] com
-@0xf4b
- Alexandre GAZET -
alexandre [dot] gazet [at] airbus [dot] com
- Joffrey CZARNY -
snorky [at] insomnihack [dot] net
-@_Sn0rkY
License
The scripts and scanner are released under the [GPLv2].
References
[1] | https://recon.cx/2018/brussels/talks/subvert_server_bmc.html |
[2] | https://www.ghs.com/products/rtos/integrity.html |
[3] | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12542 |
[4] | http://h20565.www2.hpe.com/hpsc/doc/public/display?docId=hpesbhf03769en_us |
[5] | https://github.com/jjyg/metasm |
[6] | https://github.com/dmendel/bindata |
Ilo 4 License Cost Of State
[8] | https://www.sstic.org/2018/presentation/backdooring_your_server_through_its_bmc_the_hpe_ilo4_case/ |
[9] | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7078 |
[10] | https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03844en_us |
[11] | https://2018.zeronights.ru/en/reports/turning-your-bmc-into-a-revolving-door/ |
[12] | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7113 |
[13] | https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03894en_us |
Ilo 4 Advanced License Price
[14] | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7105 |
[15] | https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03866en_us |
Ilo 2 License
[16] | https://github.com/Synacktiv/pcileech_hpilo4_service |
Ilo 4 License Price
[GPLv2] | https://github.com/airbus-seclab/ilo4_toolbox/blob/master/COPYING |