[German]The management software Integrated Lights-out 4 (iLO 4) for HP-Proliant Server has a critical vulnerability, allowing remote code execution on a system without login.
Critical vulnerability – urgent patch required
Hewlett Packard’s Enterprise (HPE) Product Security Response Team has released this SECURITY BULLETIN. In Integrated Lights-out 4 (iLO 4) is a critical vulnerability (CVE-2017-12542) that allows attackers a code execution on a system without login.
Affected are all HP Integrated Lights-Out 4 (iLO 4) versions before 2.53. The vulnerability has been detected by Fabien Perigaud, Airbus Defense and Space CyberSecurity. HPE quotes the vulnerability as critical, a patch should be applied as early as possible.
Hot to get the firmware
HPE provides a new firmware on this web page. But it’s a challenged, to find the rigt download (see Screenshot).
This German Walktrough says, you need to select ‘Microsoft Windows Server 2016’ as operating system. The the category ‘Software – Lights-Out Management (6)’ schall apper. Select under ‘Firmware – Lights-Out Management’
* RECOMMENDED * Online ROM Flash Component for Windows – HPE Integrated Lights-Out 4 (American) 2.54 7 Jul 2017 13.6
But there are two identical entries, so use the one that downloads a file cp032623.exe. Here is a direct link to download page. The .exe file is a self unpacking archiver, containing a .bin file, that can be installed using iLO.
Use an unpacker like 7-ZIP to expand the files unter Linux or MacOS. Or download the firmware updates a rpm or scexe.
Within this German comment an administrator reports, that installing the firmware clears all settings. Perhaps it helps blog readers who are affected.