HPE iLO 5 security: Go home cryptoprocessor, you’re drunk! — Alexandre Gazet, Fabien Perigaud, Joffrey Czarny
Date : 02 juin 2021 à 15:15 — 30 min.
At the core of HPE Gen10 servers lies the Integrated Lights Out 5 (iLO 5) technology. This new revision (hardware and software) of the remote management technology introduced a key feature described as a silicon root of trust built into the hardware.
Our previous studies on the technology highlighted a critical flaw in the secure boot process, allowing us to load a rogue userland applicative image.
At the start of 2020, we observed that new HPE iLO5 firmware (version 2.x) would come as an encrypted binary blob. In times where supply chain attacks and platform security are more exposed than ever, we decided to review the security implications of the new firmware packaging, and will present:
- An analysis of the new firmware file format;
- An extensive review of the cryptographic scheme and used hardware resource (cryptographic coprocessor);
- The discovery of a new 0-day vulnerability to achieve host-to-ilo code execution;
- A demonstration that Frankenstein firmware and supply chain attacks are still possible.
All these steps have been conducted to reach a final goal: releasing a tool allowing anyone to decrypt firmware updates to assess their security.