Integrated Lights-Out (iLO) 4 is a popular remote management solution found in HP Enterprise (HPE) servers around the world. In early 2022, security researchers uncovered a vulnerability, now tracked as CVE-2022-23704, which could allow attackers to remotely crash the iLO service—possibly knocking out your remote server management capabilities right when you need them the most.
In this deep-dive, we'll break down what this vulnerability means, how it can be exploited, and why patching is *absolutely critical* for your IT security. Don’t worry, we’ll keep things simple and show you sample code so you understand how the exploit works.
What is CVE-2022-23704?
CVE-2022-23704 describes a remote Denial of Service (DoS) vulnerability affecting HPE’s iLO 4 before version 2.80. An attacker with access to the management interface (usually over the network) could send a specially crafted HTTP request, causing the iLO 4 controller to crash or become unresponsive.
Since iLO allows server management even when the host OS is down, if attackers kill iLO, system administrators lose access for rebooting, monitoring hardware errors, remote console, and more. In other words, a well-timed attack could block recovery access to a server during an emergency.
Who is Affected?
Any HPE server running Integrated Lights-Out 4 (iLO 4) version earlier than 2.80 is open to this risk. Later iLO versions (i.e., iLO 5) are not affected.
> Check your firmware:
> 1. Login to your iLO web interface.
> 2. The version is usually displayed on the dashboard, or go to "Information ➜ Overview."
Technical Details
The root cause is an improper handling of certain HTTP requests on the iLO 4 controller. Sending a malformed header or payload in a request to the iLO web server can trigger the device's watchdog, which panics and restarts the iLO process.
This means an attacker needs:
- Network access to the iLO interface over HTTP/S (either from inside the network, or via exposed management ports).
Here’s a pseudo-code illustration of the bug nature
import requests
ILO_HOST = "https://ilo4.example.org";
HEADERS = {
"User-Agent": "curl/7.77.",
# Malformed or overly long header value triggers crash
"Cookie": "A" * 900
}
try:
resp = requests.get(ILO_HOST, headers=HEADERS, verify=False, timeout=5)
print("Sent HTTP request, got status:", resp.status_code)
except Exception as e:
print("Connection failed:", str(e))
Note:
- The above code is for demonstration only. Depending on network and iLO settings, the exact header or payload to crash the service may differ.
How Would an Exploit Look in Real Life?
Let’s say you work at a data center, and someone has access to the management VLAN—or your iLO port is (insecurely!) exposed to the Internet. All an attacker has to do is run a simple script (like the one above), and the iLO service will reboot or freeze, preventing you from accessing it.
Patch instructions
1. Download iLO 4 version 2.80+ firmware from HPE Support.
Upload and apply the update; the server will reboot the iLO subsystem.
---
Official References
- HPE Security Bulletin: HPSBHF03723 – HPE Integrated Lights-Out 4 (iLO 4) Remote Denial of Service (DoS) (CVE-2022-23704)
- CVE Page on MITRE
- Firmware downloads for HPE iLO 4
Patch ASAP: Update all iLO 4 devices to version 2.80 or later.
- Network Segmentation: Make sure your iLO interfaces are only reachable from secure admin networks.
Fix = upgrade to iLO 4 version 2.80 or higher right away.
Have questions or want to check your environment? Let me know in the comments—I’m happy to help you secure your servers!
Timeline
Published on: 05/09/2022 21:15:00 UTC
Last modified on: 05/19/2022 14:50:00 UTC