TLS Vulnerability in HPE Integrated Lights-Out 3 Firmware
CVE-2016-4379

3.7LOW

Key Information:

Vendor

HP
Status
Integrated Lights-out 3 Firmware
Vendor
CVE Published:
8 September 2016

What is CVE-2016-4379?

The TLS implementation in HPE Integrated Lights-Out 3 firmware prior to version 1.88 has a significant vulnerability that fails to apply a proper MAC protection mechanism alongside CBC padding. This oversight enables remote attackers to conduct padding-oracle attacks, potentially exposing sensitive information. These attacks exploit weaknesses in how the product handles CBC padding, making it necessary for organizations to assess and update their firmware to mitigate risks associated with this vulnerability.

References

http://www.securitytracker.com/id/1036707
vdb-entryx_refsource_SECTRACK
https://www.iacr.org/archive/eurocrypt2002/23320530/cbc02...
x_refsource_MISC
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/do...
x_refsource_CONFIRM

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2016-4379 : TLS Vulnerability in HPE Integrated Lights-Out 3 Firmware