Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
40 lines (29 sloc) 2.66 KB

ATREDIS-2018-0007: Cross-Site Scripting in HPE iLO Web UI

Vulnerability Type

Input Validation

Vendors

  • Hewlett Packard Enterprise

Affected Products

  • HPE iLO 5 (v1.35 and below)

Summary

The Integrated Lights-Out (iLO) web interface is vulnerable to cross-site scripting (XSS), as it does not properly sanitize the value of the iLO's "domain name" setting. An attacker able to exploit this vulnerability could potentially force an authenticated user of the iLO web interface to perform administrative commands on their behalf and/or expose sensitive information.

Mitigation

HPE has provided an updated firmware image for iLO that addresses the Cross-Site Scripting vulnerability.

Credit

This vulnerability was found by Zach Lanier of Atredis Partners

References

Report Timeline

  • 2018-12-04: Atredis Partners sent vulnerability details to HPE
  • 2018-12-05: HPE acknowledged the report
  • 2019-01-22: Atredis Partners sent vulnerability details to CERT/CC (VRF#19-01-FLMHP)
  • 2019-01-24: HPE indicates that fix is in a pending release
  • 2019-02-04: HPE releases security bulletin and firmware update addressing the issue
  • 2019-03-08: Atredis Partners publishes this advisory

Technical Details

The iLO web interface does not properly sanitize the value of the device's domain name, which could lead to cross-site scripting (XSS). If the iLO is configured to use DHCP for obtaining network information (such as IP address, domain name, default gateway, DNS, etc.), it will use the "domain name" value (as provided by the DHCP server) in multiple pages of the web UI. However, this value is not sanitized to ensure that it does not contain browser-significant data, such as JavaScript. If an attacker or rogue insider configures a DHCP server to supply such data to the iLO, it may be possible to have an iLO administrator's browser load malicious JavaScript.

The DHCP "domain name" could contain a simple HTML <script> tag with a JavaScript alert box. After logging into the iLO web UI and browsing to an affected page, such as the the iLO Federation - Group Configuration section, this JavaScript would then rendered in the authenticated user's browser. An attacker could also specify an external JavaScript resource, providing greater opportunities and capabilities for the payload.

The iLO web service has no controls in place, such as the use of certain HTTP headers, that would mitigate this issue.

You can’t perform that action at this time.