Critical vulnerability in HPE Integrated Lights-out 4 (iLO 4)

[German]The management software Integrated Lights-out 4 (iLO 4) for HP-Proliant Server has a critical vulnerability, allowing remote code execution on a system without login.


Critical vulnerability – urgent patch required

Hewlett Packard's Enterprise (HPE) Product Security Response Team has released this SECURITY BULLETIN. In Integrated Lights-out 4 (iLO 4) is a critical vulnerability (CVE-2017-12542) that allows attackers a code execution on a system without login.

Affected are all HP Integrated Lights-Out 4 (iLO 4) versions before 2.53. The vulnerability has been detected by Fabien Perigaud, Airbus Defense and Space CyberSecurity. HPE quotes the vulnerability as critical, a patch should be applied as early as possible.

Hot to get the firmware

HPE provides a new firmware on this web page But it's a challenged, to find the rigt download (see Screenshot).

HPE iLO 4-Seite

This German Walktrough says, you need to select 'Microsoft Windows Server 2016' as operating system. The the category 'Software – Lights-Out Management (6)' schall apper. Select under 'Firmware – Lights-Out Management'


* RECOMMENDED * Online ROM Flash Component for Windows – HPE Integrated Lights-Out 4 (American) 2.54 7 Jul 2017 13.6

But there are two identical entries, so use the one that downloads a file cp032623.exe. Here is a direct link to download page. The .exe file is a self unpacking archiver, containing a .bin file, that can be installed using iLO.

Use an unpacker like 7-ZIP to expand the files unter Linux or MacOS. Or download the firmware updates a rpm or scexe.

Within this German comment an administrator reports, that installing the firmware clears all settings. Perhaps it helps blog readers who are affected.

Cookies helps to fund this blog: Cookie settings

This entry was posted in devices, issue, Security, Update and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *