Improper resource shutdown in HPE Integrated Lights-Out 4 (iLO 4) and HPE Integrated Lights-Out 3

#VU12870 Improper resource shutdown in HPE Integrated Lights-Out 4 (iLO 4) and HPE Integrated Lights-Out 3

Published: 2018-05-21

Vulnerability identifier: #VU12870

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-5435

CWE-ID: CWE-404

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
HPE Integrated Lights-Out 4 (iLO 4)
Hardware solutions / Firmware
HPE Integrated Lights-Out 3
Client/Desktop applications / Plugins for browsers, ActiveX components

Vendor: HPE

Description
The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists due to improper resource shutdown. A remote attacker can cause the service to crash.

Mitigation
Update HP Integrated Lights-Out 3 to 1.85 or 4 to 2.22.

Vulnerable software versions

HPE Integrated Lights-Out 4 (iLO 4): 2.03 - 2.20

HPE Integrated Lights-Out 3: 1.80

External links
http://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c04785857

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Improper resource shutdown in HP Integrated Lights-Out 3 and 4

Denial of service in HPE Integrated Lights-Out