CVE-2016-4375 – Multiple unspecified vulnerabilities in HPE iLO... (How to Fix)

Q: What is the severity of CVE-2016-4375?

CVE-2016-4375 has a CVSS score of 9.8 (CRITICAL). Multiple unspecified vulnerabilities in HPE iLO 3 and iLO 4 firmware allow remote attackers to obtain sensitive information, modify data, or cause denial of service. Affects organizations using HPE servers with vulnerable iLO firmware versions for remote management.

📋 TL;DR

Multiple unspecified vulnerabilities in HPE iLO 3 and iLO 4 firmware allow remote attackers to obtain sensitive information, modify data, or cause denial of service. Affects organizations using HPE servers with vulnerable iLO firmware versions for remote management.

💻 Affected Systems

Products:

HPE Integrated Lights-Out 3 (iLO 3)
HPE Integrated Lights-Out 4 (iLO 4)
HPE Integrated Lights-Out 4 mRCA

Versions: iLO 3 firmware before 1.88, iLO 4 firmware before 2.44, iLO 4 mRCA firmware before 2.32

Operating Systems: Not OS dependent - firmware vulnerabilities

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the baseboard management controller firmware, independent of server operating system.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of server management interface leading to data theft, system modification, or permanent denial of service affecting physical server hardware.

🟠

Likely Case

Unauthorized access to sensitive management information or temporary disruption of iLO functionality.

🟢

If Mitigated

Limited impact if iLO interfaces are properly segmented and access controlled.

🌐 Internet-Facing: HIGH - iLO interfaces exposed to internet are extremely vulnerable given CVSS 9.8 score and remote attack vectors.

🏢 Internal Only: HIGH - Even internally, these vulnerabilities could be exploited by attackers who gain network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Unknown vectors but CVSS 9.8 suggests low attack complexity and no authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: iLO 3: 1.88+, iLO 4: 2.44+, iLO 4 mRCA: 2.32+

Vendor Advisory: https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05236950

Restart Required: Yes

Instructions:

1. Download appropriate firmware from HPE Support Center. 2. Access iLO web interface or SSH. 3. Upload firmware file. 4. Apply update (will reboot iLO controller). 5. Verify successful update.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate iLO management interfaces on separate VLAN with strict access controls.

Access Restriction

all

Implement firewall rules to restrict iLO access to authorized management stations only.

🧯 If You Can't Patch

Segment iLO interfaces completely from production networks and internet
Implement strict IP-based access controls and monitor all iLO access attempts

🔍 How to Verify

Check if Vulnerable:

Access iLO web interface → Information → Firmware Version, or SSH to iLO and run 'show /map1/firmware1'

Check Version:

ssh [iLO-IP] 'show /map1/firmware1' or check web interface Information tab

Verify Fix Applied:

Verify firmware version meets minimum: iLO 3 >= 1.88, iLO 4 >= 2.44, iLO 4 mRCA >= 2.32

📡 Detection & Monitoring

Log Indicators:

Unusual iLO authentication attempts
Multiple failed login attempts
Unexpected firmware modification logs

Network Indicators:

Unexpected traffic to iLO ports (default 17990, 22, 80, 443)
Traffic from non-management networks to iLO interfaces

SIEM Query:

source_ip IN (iLO_subnets) AND (event_type="authentication_failure" OR event_type="firmware_update")

📊 Metadata

CVE ID: CVE-2016-4375

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: September 8, 2016

Last Updated: April 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON