Input Validation
- Hewlett Packard Enterprise
- HPE iLO 5 (v1.35 and below)
The Integrated Lights-Out (iLO) web interface is vulnerable to cross-site scripting (XSS), as it does not properly sanitize the value of the iLO's "domain name" setting. An attacker able to exploit this vulnerability could potentially force an authenticated user of the iLO web interface to perform administrative commands on their behalf and/or expose sensitive information.
HPE has provided an updated firmware image for iLO that addresses the Cross-Site Scripting vulnerability.
This vulnerability was found by Zach Lanier of Atredis Partners
- https://support.hpe.com/hpsc/doc/public/display?docId=a00048134en_us
- https://cwe.mitre.org/data/definitions/79.html
- https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
- https://support.hpe.com/hpsc/doc/public/display?docLocale=es_ES&docId=emr_na-hpesbhf03907en_us
- 2018-12-04: Atredis Partners sent vulnerability details to HPE
- 2018-12-05: HPE acknowledged the report
- 2019-01-22: Atredis Partners sent vulnerability details to CERT/CC (VRF#19-01-FLMHP)
- 2019-01-24: HPE indicates that fix is in a pending release
- 2019-02-04: HPE releases security bulletin and firmware update addressing the issue
- 2019-03-08: Atredis Partners publishes this advisory
The iLO web interface does not properly sanitize the value of the device's domain name, which could lead to cross-site scripting (XSS). If the iLO is configured to use DHCP for obtaining network information (such as IP address, domain name, default gateway, DNS, etc.), it will use the "domain name" value (as provided by the DHCP server) in multiple pages of the web UI. However, this value is not sanitized to ensure that it does not contain browser-significant data, such as JavaScript. If an attacker or rogue insider configures a DHCP server to supply such data to the iLO, it may be possible to have an iLO administrator's browser load malicious JavaScript.
The DHCP "domain name" could contain a simple HTML <script> tag with a JavaScript alert box. After logging into the iLO web UI and browsing to an affected page, such as the the iLO Federation - Group Configuration section, this JavaScript would then rendered in the authenticated user's browser. An attacker could also specify an external JavaScript resource, providing greater opportunities and capabilities for the payload.
The iLO web service has no controls in place, such as the use of certain HTTP headers, that would mitigate this issue.