Remote Code Execution Vulnerability in HPE Integrated Lights-Out for Gen10, Gen4, and Gen3 Servers
CVE-2018-7105

7.2HIGH

Key Information:

Vendor
HP
Status
HP Integrated Lights-out 5 (ilo 5) For HP Gen10 Servers, HP Integrated Lights-out 4 (ilo 4), HP Integrated Lights-out 3 (ilo 3)
Vendor
CVE Published:
27 September 2018

Summary

HPE Integrated Lights-Out (iLO) products, specifically for Gen10, Gen4, and Gen3 servers, are susceptible to a security vulnerability that allows remote attackers to execute arbitrary code. This flaw exists in versions prior to v1.35 for iLO 5, v2.61 for iLO 4, and v1.90 for iLO 3. Exploitation of this vulnerability could potentially lead to unauthorized access and disclosure of sensitive information, highlighting the importance of updating to the latest firmware versions to mitigate risk.

Affected Version(s)

HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers, HPE Integrated Lights-Out 4 (iLO 4), HPE Integrated Lights-Out 3 (iLO 3) HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers prior to v1.35, HPE Integrated Lights-Out 4 (iLO 4) prior to v2.61, HPE Integrated Lights-Out 3 (iLO 3) prior to v1.90

References

http://www.securityfocus.com/bid/105425
vdb-entryx_refsource_BID
https://support.hpe.com/hpsc/doc/public/display?docLocale...
x_refsource_CONFIRM
http://www.securitytracker.com/id/1041649
vdb-entryx_refsource_SECTRACK

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.