Oracle ILOM Compromise via EternalBlue

Reading Time: 5 Minutes

Introduction

While automated tools are useful for maintaining baseline security, they often miss sophisticated, multi-layered vulnerabilities that require a manual, strategic approach to uncover. At Black Hat Ethical Hacking (BHEH), our Red Team employs advanced manual testing, real-world attack simulations, and in-depth system analysis to uncover vulnerabilities that automated methods often overlook. This process highlights the importance of human expertise and creativity in identifying and exploiting complex weaknesses that could compromise even well-protected systems.

Executive Summary

During a penetration testing engagement, our team identified a critical exploitation chain affecting an enterprise network. The attack began by exploiting the EternalBlue vulnerability (CVE-2017-0144) on an unpatched Windows server, allowing remote code execution. We used this foothold to pivot within the internal network and discovered an Oracle ILOM server still configured with factory-default credentials.

Exploiting these misconfigurations granted us full administrative access to the ILOM interface, exposing SSH private keys, remote hardware control (via KVMS), and the ability to cause significant operational disruption. This case shows how the combination of unpatched legacy systems and default credentials can open the door to serious breaches, especially when those systems manage core infrastructure.

Security Lesson Learned: Oracle ILOM devices must never retain factory-default credentials in production environments.

The following report details each stage of the attack, the associated risks, and concrete remediation strategies.

Overview of the Issue Discovered

Weakness Type

• Vulnerability Chain: EternalBlue Exploitation and Oracle ILOM Default Credentials
• CVE References: CVE-2017-0144: EternalBlue SMB vulnerability in Windows systems

Severity

Critical: This chain of vulnerabilities enabled us to achieve unrestricted administrative access to critical infrastructure components. The exploitation of legacy system vulnerabilities combined with poor credential management presents a severe risk to system integrity, data security, and operational continuity.

Base Score: 9.8 (Critical)

The CVSS score for EternalBlue (CVE-2017-0144) may change over time based on the availability of exploit tools or security patches. For example, if a patch is universally applied, the score could decrease due to reduced exploitability. Conversely, if new exploit kits make the vulnerability easier to leverage, the Temporal Score could increase. Organizations must regularly reassess CVSS scores as part of their vulnerability management strategy.

Affected Assets

• IPv6 Address: [fe70::310:e0ff:fe86:3c4d] (obscured for confidentiality)
• Hostname: oracle-ilom
• System Type: Rack-mounted Oracle SPARC T5-2, a high-performance server model often used for mission-critical applications.

This discovery represents a high-severity security flaw due to the unrestricted access it provides to critical management functionalities, with potential for extensive damage across dependent systems.

Data Source

• Primary Exploitation Method: Multi-layered manual exploitation using EternalBlue for initial access and default credential reconnaissance.
• Supporting Documentation: Oracle ILOM user manuals for default credential references, EternalBlue exploitation guides.
• Tools used: Metasploit

Impact and Risks

The exploitation of the Oracle ILOM server through the EternalBlue vulnerability and default credentials poses substantial risks that could affect both operational stability and data integrity:

• Unauthorized Access and Full Control: By exploiting these vulnerabilities, attackers could obtain administrative privileges, allowing them to alter or disable key system settings, manipulate configurations, and view or erase system logs, making it challenging to trace malicious activity.

• Sensitive Data Exposure: The compromised ILOM interface stored unencrypted SSH keys and network data in configuration files. Access to these keys would enable attackers to authenticate on other internal systems, significantly increasing the risk of further compromise.

• Service Disruption: ILOM servers manage core components of system infrastructure. An attacker with control over the ILOM could disable or reset services, leading to substantial downtime and operational loss. In environments reliant on 24/7 uptime, this could result in severe financial and reputational damage.

• Physical and Remote Access: The ILOM server provides KVMS (Keyboard, Video, Mouse, Storage) control, which allows remote manipulation of hardware-level functionalities. This enables attackers not only to disrupt services but also to modify data at a low level, which can impact data integrity and the reliability of hardware-dependent applications.

• Pivot Point for Lateral Movement: The ILOM server, especially in its role as a management interface, offers potential pivot points to other devices in the network. Attackers could leverage this foothold to gain further access, conduct reconnaissance, or execute additional attacks on adjacent systems.

Each of these risks is magnified in an enterprise environment where an ILOM server manages high-value assets, underscoring the importance of securing such devices against unauthorized access and default credential vulnerabilities.

Technical Description

The technical path to this exploitation was neither straightforward nor trivial. It involved a creative combination of network-based exploits and credential reconnaissance that leveraged both a well-known exploit (EternalBlue) and the systemic issue of default credentials left unsecured on legacy systems.

The following flowchart illustrates the sequential stages of the attack, from initial access via EternalBlue to complete administrative control of the Oracle ILOM server.

Initial Access via EternalBlue (CVE-2017-0144):

• Our Red Team identified an unpatched Windows 2007 server on the internal network, vulnerable to the EternalBlue exploit, a renowned vulnerability in the Server Message Block (SMB) protocol.
• EternalBlue, which exploits a flaw in how Windows handles SMBv1 requests, allowed us to execute arbitrary code remotely. This access provided an initial foothold on the network, enabling us to pivot further and assess the surrounding assets.
• Using post-exploitation frameworks, we mapped the network from this compromised server, enumerating connected devices, including an Oracle ILOM server.

Discovery of the Oracle ILOM Server and Credential Strategy:

• The Oracle ILOM server presented itself as an accessible management interface but was secured only by default credentials. This issue, while not tied to a specific CVE, is a well-documented vulnerability in Oracle ILOM systems. It was done through fuzzing using a dictionary that contained default and predictable credential.
• Recognizing the potential, we conducted a series of targeted research on Oracle’s default credential documentation. A quick test confirmed that the server’s interface was still configured with the factory-default credentials.
• Upon logging in, we gained administrative control over the server, allowing us to view sensitive configuration files, extract SSH keys, and access network configurations.

Complete Control via ILOM Features:

• With administrative access, we could leverage the KVMS (Keyboard, Video, Mouse, Storage) capabilities of the Oracle ILOM interface, which grants extensive control over the hardware remotely.
• We also discovered options for shutting down or resetting the server, which could disrupt services at will.
• Additionally, access to SSH keys and network data provided in configuration files could allow an attacker to authenticate on other parts of the network, facilitating a broader campaign of infiltration and potential data exfiltration.

This multi-step exploitation demonstrated not only the potential damage of unpatched vulnerabilities like EternalBlue but also the impact of poor security posture, such as default credentials on sensitive management systems. Each step required a manual, creative approach that exemplifies the need for comprehensive security reviews, especially on legacy systems.

Screenshots

Oracle_Server_SSH_Stealing_Keys

The above image illustrates the extraction of unencrypted SSH keys from the ILOM’s configuration files, which could be used for lateral movement within the network.

Oracle_Server_ILOM_Default_PW_From_Manual 

The above image is from Oracle documentation showing default password information, corroborating the method used to gain access.

Recommendations

To mitigate the risks and prevent unauthorized access to Oracle ILOM systems and other critical infrastructure, the following security measures are recommended:

1. Patch and Monitor Legacy Systems:
   • Ensure that all legacy systems are patched against vulnerabilities like EternalBlue (CVE-2017-0144). For environments with strict uptime requirements, consider network segmentation to protect unpatched legacy systems from external threats.
2. Change Default Credentials on Management Interfaces:
   • Oracle ILOM systems, along with other management consoles, should be reconfigured with unique, strong passwords immediately upon deployment. Organizations should conduct regular audits to identify and secure systems that may still use default credentials.
3. Upgrade Oracle ILOM Firmware:
   • Upgrade all Oracle ILOM servers to the latest version of the firmware, which often includes fixes for default credential vulnerabilities and other security improvements. Keeping firmware up-to-date is essential for protecting these devices from well-known exploits.
4. Implement Strong Access Controls and Monitoring:
   • Configure management interfaces like Oracle ILOM to restrict access to trusted IP ranges and authorized personnel only. Enable logging and monitoring to detect unusual access patterns that may indicate unauthorized attempts.
5. Network Segmentation:
   • Critical management interfaces, such as Oracle ILOM, should be segregated from the primary production network and placed in isolated network segments. This will prevent attackers from using a compromised management interface as a pivot point for further internal attacks.

By addressing these vulnerabilities proactively, organizations can greatly reduce their exposure to similar multi-layered attacks and secure sensitive management interfaces.

Lessons for the Defence Team

This case highlights the critical role of manual penetration testing in uncovering complex vulnerabilities that automated tools often fail to detect. The exploitation chain involving EternalBlue and Oracle ILOM’s default credentials demonstrates how attackers can combine legacy vulnerabilities with poor security hygiene to achieve administrative control over critical infrastructure. Automated tools will not know where to look and what to test, it does it in a ‘Hail Mary’ fashion, hence why manual Pentesting can be more creative when hunting down a specific attack vector.

Patching known vulnerabilities, such as those exploited in this case, and securing administrative interfaces are foundational practices for robust cyber defense. Additionally, this case underscores the importance of creative and strategic approaches during penetration tests, which are essential for identifying deeply embedded weaknesses in complex environments.

By implementing the recommended mitigations, such as network segmentation, credential hardening, and monitoring, and aligning with globally recognized best-practice frameworks like CIS Controls, organizations can significantly strengthen their resilience against sophisticated attacks. Regular penetration testing ensures that evolving threats are identified and mitigated, safeguarding critical systems while fostering trust and operational continuity.

We hope that this write up has taught you something new. If you enjoyed it, the best way that you can support us is to share it! If you’d like to hear more about us, you can find us on LinkedIn, Twitter, YouTube.

Disclaimer: All actions described in this report were performed under strict ethical guidelines and with explicit written authorization from the client. Black Hat Ethical Hacking does not condone or take any responsibility for the misuse of the information contained herein. This write-up is intended solely for educational and professional reporting purposes. No details revealing the identity of the client, their infrastructure, or specific assets have been disclosed, ensuring full confidentiality and protection of client data.