Remote Lights-Out Mgmt (iLO 2, iLO, RILOE II) Forum
cancel

iLO 2 Qualys Vulnerability Report Remediation CVE-2011-3389 Qualys QID: 42366

Highlighted
DigitalNomadIL
New Member.

iLO 2 Qualys Vulnerability Report Remediation CVE-2011-3389 Qualys QID: 42366

Hello All,

 

I have an open ticket with HP support that hasn't moved on this issue so I'm hoping that someone may be able to offer some options.

Under heightened security, a recent scan of iLO 2's revealed a few unreasolvable vulnerabilities specifically  the SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Server Side Vulnerability (BEAST) port 443/tcp over SSL  and an inability to use TLS 1.2

 

So far, 

I've Flashed the ilo to the latest firmware release 2.27

Disabled ipmi

Created internal CA Certificate

Enabled AES/3DES Encryption

 

Does anyone have any insite on this or an idea of what the current recommended and or planned mitigation for this issue?


Is there a way to change CIPHER Priority? Command Line options?
Is there a way to disable all < TLS 1.1\1.2? Is the ilo even capable of 1.1\.2? are there any command line options.

 

I know that this takes security to the nth degree on these devices but that's the new world

 

Any help would be appreciated, many thanks

 

DGN

1 REPLY
Oscar A. Perez
Outstanding Contributor.

Re: iLO 2 Qualys Vulnerability Report Remediation CVE-2011-3389 Qualys QID: 42366

The fix for CVE-2011-3389 (a.k.a.  BEAST) went into iLO2 v2.12

 

Once you have installed on each of your iLOs a "trusted" SSL Certificate signed by your own Certification Authority, go to iLO2 webUI->Administration->Access->Options and ensure that the option called "SSL empty records for CBC-Mode Cipher suite" is enabled.

 

Both SSLv3 (now deprecated) and TLS 1.0 can be safely used with CBC cipher-suites once the SSL empty records fix is enabled.

 

Some port scanners falsely flag iLO2 as vulnerable to BEAST .  Try a scanner that actually does the proper BEAST test and then scan iLO2 with the SSL empty records setting enabled and disabled.

 

 

Of course, if you still have the default Self-Signed SSL Certificates in place, you have bigger problems since you are vulnerable to MITM attacks no matter what.

 

Regards,

Oscar




__________________________________________________
I work for Hewlett Packard

If you feel this was helpful please click the KUDOS! thumb below!