BUILD Upgrade HPE iLO4 firmware for CVE-2017-12542


Apr 17, 2018
This is a guide to upgrade HPE iLO4 firmware to fix CVE-2017-12542.
It is a remove vulnerability (details) so it is worth applying the security patch.

iLO is a HPE Baseboard Management Controller (BMC) that equips most of HPE servers. If you have Gen8 or Gen9 HPE servers, (for example the very popular HPE Microserver Gen8), you may be affected.

  1. Download the firmware 2.55b from HPE (without registration).
  2. Get Online ROM Flash Component for Windows x64 - HPE Integrated Lights-Out 4
  3. Download cp034895.exe
  4. In spite of HPE instructions, Windows is not required, you can extract the firmware with unzip from Linux or FreeBSD: unzip cp034895.exe to get the firmware file ilo_255.bin
  5. Connect to the ILO web interface and go the firmware update section.
  6. Upload ilo_255.bin
  7. It takes few minutes to upload the file, check signatures and then install the new firmware.
  8. At the end, iLO reboots.
  9. Finally, you can login to the new firmware.
  • You can apply the procedure on a running system because only iLO reboots, not the computer.
  • I have tested this procedure on my HPE Microserver Gen8 and it works perfectly. All iLO settings are preserved.