Hewlett Packard Enterprise has disclosed the discovery of a serious vulnerability in a previous version of its Lights-Out 3 embedded server management technology, which could be remotely exploited to trigger a denial of service (DoS) condition.
Officially designated CVE-2017-8987, the bug was discovered last September in iLO3 version 1.88 by Rapid7 researchers Ross Kirk and Adam McClenaghan. The problem was subsequently reported to HPE in November, but by that time, the issue had already been nullified with the 19 October, 2017 release of v1.89. After confirming that its latest version was not affected, HPE issued a security bulletin acknowledging the bug on 22 February of this year.
A 1 March blog post by Rapid7 further reveals that the vulnerability is exploitable via several HTTP methods and can provoke a DoS condition, caused by resource exhaustion, that lasts roughly 10 minutes, until a kernel module with watchdog functionality restarts the iLO3 device.
During these 10 minutes, open SSH sessions would become unresponsive and new ones could not be established, and the web portal log-in page would not be able load. The DoS condition does not, however, affect the operations of the host server's OS or applications; only the remote management functionality is impacted.