CVE-2017-12542
published 2018-02-15CVE-2017-12542: A authentication bypass and execution of code vulnerability in HPE Integrated Lights-out 4 (iLO 4) version prior to 2.53 was found.
PriorityP197critical10CVSS 3.0
AVNACLPRNUINSCCHIHAH
ITWEXPLOITVulnCheck KEVRansomwareInitial access
Exploited in the wild
EPSS
99.33%
99.9th percentile
A authentication bypass and execution of code vulnerability in HPE Integrated Lights-out 4 (iLO 4) version prior to 2.53 was found.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hewlett_packard_enterprise | integrated_lights-out_4 | — | — |
| hp | integrated_lights-out_4_firmware | < 2.53 | 2.53 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploit attempts by inspecting HTTP requests to /rest/v1/AccountService/Accounts with a Connection header value consisting of 29 or more repeated 'A' characters (buffer overflow trigger). ↗
- →Alert on unauthenticated HTTP GET or POST requests to the iLO REST API endpoint /rest/v1/AccountService/Accounts, especially when the response body contains 'iLO User' and HTTP 200 status, indicating successful authentication bypass. ↗
- →Monitor for POST requests to /rest/v1/AccountService/Accounts with a JSON body containing elevated iLO privilege fields (LoginPriv, RemoteConsolePriv, UserConfigPriv, VirtualMediaPriv, iLOConfigPriv, VirtualPowerAndResetPriv all set to true), indicating new admin account creation via the exploit. ↗
- →The vulnerability is triggered by a buffer overflow in the Connection HTTP header handling by the iLO 4 web server; any anomalously long or non-standard Connection header value targeting iLO 4 management interfaces should be treated as suspicious. ↗
- ·The exploit only covers one of three vulnerabilities under CVE-2017-12542; the other two are only triggerable locally on the host itself and are not addressed by this network-based exploit. ↗
- ·All HP iLO interfaces run on HTTPS but typically use self-signed SSL certificates; detection tooling must be configured to inspect HTTPS traffic or operate on the iLO management network segment. ↗
- ·The authentication bypass affects iLO 4 versions 1.00 through 2.50 inclusive; version 2.53 and later are not vulnerable. ↗
CVSS provenance
nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7m3v-cw5q-g499: A authentication bypass and execution of code vulnerability in HPE Integrated Lights-out 4 (iLO 4) version prior to 2
ghsa_unreviewed·2022-05-14
CVE-2017-12542 [CRITICAL] GHSA-7m3v-cw5q-g499: A authentication bypass and execution of code vulnerability in HPE Integrated Lights-out 4 (iLO 4) version prior to 2
A authentication bypass and execution of code vulnerability in HPE Integrated Lights-out 4 (iLO 4) version prior to 2.53 was found.
VulnCheck
HPE Integrated Lights-out 4 Code Execution
vulncheck·2017·CVSS 10.0
CVE-2017-12542 [CRITICAL] HPE Integrated Lights-out 4 Code Execution
HPE Integrated Lights-out 4 Code Execution
A authentication bypass and execution of code vulnerability in HPE Integrated Lights-out 4 (iLO 4) version prior to 2.53 was found.
Affected: HP integrated_lights-out_4_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/; https://info.securin.io/hubfs/Securin%20Ransomware%20Report%202023.pdf; https://www.horizon3.ai/wp-content/uploads/2024/03/Proactive_Cybersecurity_Unleashed.pdf
Exploit PoC: https://vulncheck.com/xdb/bb2328d8af2f; https://vulncheck.com/xdb/6cfe3c350897; https://vulncheck.com/xdb/9d0
No detection rules found.
Exploit-DB
HPE iLO 4 < 2.53 - Add New Administrator User
exploitdb·2018-02-05·CVSS 10.0
CVE-2017-12542 [CRITICAL] HPE iLO 4 < 2.53 - Add New Administrator User
HPE iLO 4 < 2.53 - Add New Administrator User
---
#!/usr/bin/env python
"""
Exploit trigger was presented @reconbrx 2018
Vulnerability found and documented by synacktiv:
https://www.synacktiv.com/posts/exploit/rce-vulnerability-in-hp-ilo.html
Original advisory from HP:
https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03769en_us
Other advisories for this CVE:
https://tools.cisco.com/security/center/viewAlert.x?alertId=54930
https://securitytracker.com/id/1039222
IMPORTANT:
THIS EXPLOIT IS JUST FOR ONE OUT OF THE THREE VULNERABILITES COVERED BY CVE-2017-12542!!!
The two other vulns are critical as well, but only triggerable on the host itself.
"""
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import json
import urllib3
#all of
Metasploit
HP iLO 4 1.00-2.50 Authentication Bypass Administrator Account Creation
metasploit
HP iLO 4 1.00-2.50 Authentication Bypass Administrator Account Creation
HP iLO 4 1.00-2.50 Authentication Bypass Administrator Account Creation
This module exploits an authentication bypass in HP iLO 4 1.00 to 2.50, triggered by a buffer overflow in the Connection HTTP header handling by the web server. Exploiting this vulnerability gives full access to the REST API, allowing arbitrary accounts creation.
Nuclei
HPE Integrated Lights-out 4 (ILO4) <2.53 - Authentication Bypass
nuclei·CVSS 10.0
CVE-2017-12542 [CRITICAL] HPE Integrated Lights-out 4 (ILO4) <2.53 - Authentication Bypass
HPE Integrated Lights-out 4 (ILO4) <2.53 - Authentication Bypass
HPE Integrated Lights-out 4 (iLO 4) prior to 2.53 was found to contain an authentication bypass and code execution vulnerability.
Template:
id: CVE-2017-12542
info:
name: HPE Integrated Lights-out 4 (ILO4) <2.53 - Authentication Bypass
author: pikpikcu
severity: critical
description: HPE Integrated Lights-out 4 (iLO 4) prior to 2.53 was found to contain an authentication bypass and code execution vulnerability.
impact: |
Successful exploitation of this vulnerability allows an attacker to bypass authentication and gain unauthorized access to the affected system.
remediation: |
Upgrade HPE Integrated Lights-out 4 (ILO4) to version 2.53 or later to mitigate this vulnerability.
reference:
- https://www.exploit-db.com/exploits
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
CVE-2020-28188 [HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
# Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020. Several newly observed exploits, including CVE-2020-28188, CVE-2020-17519, and CVE-2020-29227, have emerged and were continuously being exploited in the wild as of late 2020 to early 2021.
This blog provides details of the newly observed exploits as well as a dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution.
Palo Alto Networks Next-Generation Firewall customers are protected from these attacks with the URL Filtering an
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
[HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (November 2020-January 2021)
Lei Xu
Yue Guan
Vaibhav Singhal
Published: April 12, 2021
Malware
Trend Reports
Vulnerabilities
Botnet
DDoS
Exploit kit
IoT
Network security trends
## Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020 . Several newly observed exploits, including CVE-2020-28188 , CVE-2020-17519 , and CVE-2020-29227 , have emerged and were continuously being exploited in the wild as of late 2020 to earl
http://www.securityfocus.com/bid/100467http://www.securitytracker.com/id/1039222https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03769en_ushttps://www.exploit-db.com/exploits/44005/http://www.securityfocus.com/bid/100467http://www.securitytracker.com/id/1039222https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03769en_ushttps://www.exploit-db.com/exploits/44005/
2018-02-15
Published
Exploited in the wild