HP iLO 3 < 1.93 / HP iLO 4 < 2.75 / HP iLO Superdome 4 < 1.64 / HP iLO 5 < 2.18 / HP Moonshot/Edgeline iLO 5 < 2.30 Ripple20 Multiple vulnerabilities

critical Nessus Plugin ID 140770
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote HP Integrated Lights-Out server's web interface is affected by multiple vulnerabilities.

Description

Multiple security vulnerabilities have been identified in Integrated Lights-Out firmware generation 3 (iLO 3) prior to version 1.93, generation 4 (iLO 4) prior to version 2.75, and generation 5 (iLO 5) prior to version 2.18. Superdome generation 4 versions prior to 1.64 and Moonshot/Edgeline generation 5 versions prior to 2.30 are also vulnerable. The vulnerabilities could be remotely exploited to execute code, cause denial of service, and expose sensitive information.

Note: These vulnerabilities are collectively named Ripple20. iLO 3, iLO4, and iLO 5 are only exposed to a portion of the Ripple20 vulnerabilities.

Solution

Upgrade to HP iLO 3 firmware version 1.93 or later, iLO 4 firmware version 2.75 or later, or iLO 4 for Superdome version 1.64 or later, or HP iLO 5 firmware version 2.18 or HP Moonshot/Edgeline iLO 5 to version 2.30 or later.

See Also

http://www.nessus.org/u?1e67ddae

http://www.nessus.org/u?c6c38e9e

Plugin Details

Severity: Critical

ID: 140770

File Name: ilo_HPESBHF_04012.nasl

Version: 1.4

Type: remote

Family: CGI abuses

Published: 9/24/2020

Updated: 5/18/2021

Dependencies: ilo_detect.nasl

Risk Information

CVSS Score Source: CVE-2020-11896

VPR

Risk Factor: Critical

Score: 9.2

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 6.9

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: E:U/RL:OF/RC:C

CVSS v3

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:hp:integrated_lights-out_firmware, cpe:/o:hp:integrated_lights-out_3_firmware, cpe:/o:hp:integrated_lights-out_4_firmware, cpe:/o:hp:integrated_lights-out_5_firmware

Required KB Items: www/ilo, ilo/generation, ilo/firmware

Exploit Ease: No known exploits are available

Patch Publication Date: 8/20/2020

Vulnerability Publication Date: 7/13/2020

Reference Information

CVE: CVE-2020-11896, CVE-2020-11898, CVE-2020-11900, CVE-2020-11906, CVE-2020-11907, CVE-2020-11911, CVE-2020-11912, CVE-2020-11914

HP: HPESBHF04012