Even as all of the hoopla about the recent Heartbleed bug starts to calm down in IT circles, the problem still remains. But as calmer heads prevail and begin looking at the problem more pragmatically, new issues are cropping up that hadn’t been considered initially.
In a recent blog post, Opengear’s (News - Alert) Robert Waldie pointed out that while HPs’ Integrated Lights-Out products (iLO, iLO2, iLO3, and iLO4) have not been exposed to the “Heartbleed vulnerability” (as HP coyly put it), there is a related problem.
“The first-generation iLO and iLO 2 products use the RSA (News - Alert) SSL libraries and there is a bug in these libraries that will cause first-generation iLO and iLO 2 devices to enter a live lockup situation when a vulnerability scanner runs to check for the Heartbleed vulnerability,” HP noted in an alert. “Although the server's operating system will continue to function normally, first-generation iLO and iLO 2 will no longer be responsive over the management network.”
In short, users that run a scan to check for Heartbleed on systems running iLO run the risk of a complete shutdown.
“Amidst table-flipping frustration, the ensuing discussion over at Reddit’s r/sysadmin notes that many of the lock-ups were caused by concerned users taking a ‘carpet bombing’ approach and scanning their entire internal network,” Waldie said in his post. “This raises a few good points about best practice out-of-band management.”
Among the suggestions Waldie offers to keep systems up and running but still safe:
Don’t connect management interfaces such as lights-out server and PDU SNMP cards to your main corporate LAN. Instead, set up a separate management VLAN and as best practice, use a purpose-built out-of-band management appliance as a bastion to authenticate, encrypt and log access to this network.
Service processors and lights-out cards like iLO are an invaluable part of out-of-band management, but they’re not the only part. For comprehensive remote power control use a remotely-switchable PDU, so you can cold restart that server.
Monitor your management network. This part is most critical. The first that some iLO users will learn of this lock-up issue will be in a few months or a few years from now, while they’re responding to an incident that requires emergency management access. Take steps now to assure your unfettered access later.
While Heartbleed can be a vexing problem, it is not an unmanageable one. But therein lies the key; it must be managed today before it becomes a real problem down the road.