Network Security, Patch/Configuration Management, Vulnerability Management

Old version of HPE Lights-Out server management tech contains DoS vulnerability


Hewlett Packard Enterprise has disclosed the discovery of a serious vulnerability in a previous version of its Lights-Out 3 embedded server management technology, which could be remotely exploited to trigger a denial of service (DoS) condition.

Officially designated CVE-2017-8987, the bug was discovered last September in iLO3 version 1.88 by Rapid7 researchers Ross Kirk and Adam McClenaghan. The problem was subsequently reported to HPE in November, but by that time, the issue had already been nullified with the Oct. 19, 2017 release of v1.89. After confirming that its latest version was not affected, HPE issued a security bulletin acknowledging the bug on Feb. 22 of this year.

A Mar. 1 blog post by Rapid7 further reveals that the vulnerability is exploitable via several HTTP methods and can provoke a DoS condition, caused by resource exhaustion, that lasts roughly 10 minutes, until a kernel module with watchdog functionality restarts the iLO3 device.

During these 10 minutes, open SSH sessions would become unresponsive and new ones could not be established, and the web portal log-in page would not be able load. The DoS condition does not, however, affect the operations of the host server's OS or applications; only the remote management functionality is impacted.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.