HP admits to backdoors in storage products

July 11, 2013

Uncategorized

HP admits to backdoors in storage products

Free whitepaper : Supercharge your infrastructure

Hewlett-Packard has agreed that there is an undocumented administrative account in its StoreVirtual products, and is promising a patch by 17 July.

The issue, which seems to have existed since 2009, was brought to the attention of The Register by Technion, the blogger who earlier published an undocumented backdoor in the company’s StoreOnce products.

Since then, some HP users have confirmed the backdoors in e-mail to The Register, providing evidence of the account names and passwords that allow access to the devices. The Reg can report those credentials would not pass complexity tests required by many websites as they use no numerals, symbols or capital letters.

HP has now issued this security advisory, stating:

“This vulnerability could be remotely exploited to gain unauthorized access to the device.

“All HP StoreVirtual Storage systems are equipped with a mechanism that allows HP support to access the underlying operating system if permission and access is provided by the customer. This functionality cannot be disabled today.

“HP has acknowledged this vulnerability and will provide a patch that will allow customers to disable the support access mechanism on or before July 17, 2013.”

The company states that “Root access to the LeftHand OS does not provide access to the user data being stored on the system”.

Although data isn’t accessible via the backdoor, one user with around 50 TB of StoreVirtual capacity said the account gave sufficient access to reboot nodes in a cluster, “and so cripple the cluster”.

“It lets you browse to “SMH » Security » Trusted Management Servers” though, (“Certificates are used to establish the trust relationship between Systems Insight Manager or Insight Manager 7 and the System Management Homepage.”) You can use that to import a certificate to trust another Systems Insight Manager box,” said that user, who asked not to be identified.

And, of course, there’s the “reset factory defaults” option, which would nuke all a user’s data. ®

http://www.theregister.co.uk/2013/07/11/hp_prepping_fix_for_latest_storage_vuln/

Subscribe

Subscribe to our RSS feed and social profiles to receive updates.

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: