CVE-2016-4379

3.7LOW

Key Information:

Vendor
HP
Status
Integrated Lights-out 3 Firmware
Vendor
CVE Published:
8 September 2016

Summary

The TLS implementation in HPE Integrated Lights-Out 3 (aka iLO3) firmware before 1.88 does not properly use a MAC protection mechanism in conjunction with CBC padding, which allows remote attackers to obtain sensitive information via a padding-oracle attack, aka a Vaudenay attack.

References

http://www.securitytracker.com/id/1036707
vdb-entryx_refsource_SECTRACK
https://www.iacr.org/archive/eurocrypt2002/23320530/cbc02...
x_refsource_MISC
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/do...
x_refsource_CONFIRM

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.