cbcvebase.
CVE-2017-12542
published 2018-02-15

CVE-2017-12542: A authentication bypass and execution of code vulnerability in HPE Integrated Lights-out 4 (iLO 4) version prior to 2.53 was found.

PriorityP197critical10CVSS 3.0
AVNACLPRNUINSCCHIHAH
ITWEXPLOITVulnCheck KEVRansomwareInitial access
Exploited in the wild
EPSS
99.33%
99.9th percentile
A authentication bypass and execution of code vulnerability in HPE Integrated Lights-out 4 (iLO 4) version prior to 2.53 was found.

Affected

2 ranges
VendorProductVersion rangeFixed in
hewlett_packard_enterpriseintegrated_lights-out_4
hpintegrated_lights-out_4_firmware< 2.532.53

Detection & IOCsextracted from sources · hover to see the quote

url/rest/v1/AccountService/Accounts
otherConnection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (29 x 'A')
otherConnection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
path/rest/v1/AccountService/Accounts
  • Detect exploit attempts by inspecting HTTP requests to /rest/v1/AccountService/Accounts with a Connection header value consisting of 29 or more repeated 'A' characters (buffer overflow trigger).
  • Alert on unauthenticated HTTP GET or POST requests to the iLO REST API endpoint /rest/v1/AccountService/Accounts, especially when the response body contains 'iLO User' and HTTP 200 status, indicating successful authentication bypass.
  • Monitor for POST requests to /rest/v1/AccountService/Accounts with a JSON body containing elevated iLO privilege fields (LoginPriv, RemoteConsolePriv, UserConfigPriv, VirtualMediaPriv, iLOConfigPriv, VirtualPowerAndResetPriv all set to true), indicating new admin account creation via the exploit.
  • The vulnerability is triggered by a buffer overflow in the Connection HTTP header handling by the iLO 4 web server; any anomalously long or non-standard Connection header value targeting iLO 4 management interfaces should be treated as suspicious.
  • ·The exploit only covers one of three vulnerabilities under CVE-2017-12542; the other two are only triggerable locally on the host itself and are not addressed by this network-based exploit.
  • ·All HP iLO interfaces run on HTTPS but typically use self-signed SSL certificates; detection tooling must be configured to inspect HTTPS traffic or operate on the iLO management network segment.
  • ·The authentication bypass affects iLO 4 versions 1.00 through 2.50 inclusive; version 2.53 and later are not vulnerable.

CVSS provenance

nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.