Feeds

HP storage: more possible backdoors

LeftHand, StoreVirtual remote reset suggests factory account

Gartner critical capabilities for enterprise endpoint backup

Technion, the blogger who recently turned up an undocumented back door in HP's StoreOnce, has turned up similar issues in other HP products - publicised on support forums by the company, but unnoticed at the time.

According to his trawling of various HP support forums, he has told The Register there appear to be company support backdoors in the company's StoreVirtual SAN products, based on the LeftHand operating system.

The hardware used to include a hard-reset button to set the factory defaults but this was removed as a security measure (that is, so insiders couldn't give themselves admin privileges to hardware they shouldn't access by resetting it). However, the solution seems to Technion no better: administrative password recovery is now carried out remotely by HP support.

That suggests the devices include an HP-accessible support account has been incorporated into the LeftHand 9.0 and higher code – and the accounts have existed since as far back as 2009.

As has been demonstrated many times over, any remotely-accessible login provides a potential attack vector, should the userid and password be discovered by attackers.

Both the support forum posts Technion identified (and contacted HP about) are unequivocal: lost admin passwords are resettable by HP. One, from November 2011, states: “You will need to call support and they can get into the backed and reset it for you. 1-800-633-3600 'Lefthand Solutions'”. The other, posted by a LeftHand product manager in 2009, states: “Call support. They can reset the password remotely.”

The Register contacted HP last week, and has today received this response: “HP takes seriously its responsibility of maintaining current security policies as a top priority for our customers. We are aware of a potential HP StoreVirtual security issue, and are actively working on a fix for our customers. Further information will be shared as soon as it is available.” ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
The Return of BSOD: Does ANYONE trust Microsoft patches?
Sysadmins, you're either fighting fires or seen as incompetents now
Microsoft: Azure isn't ready for biz-critical apps … yet
Microsoft will move its own IT to the cloud to avoid $200m server bill
Oracle reveals 32-core, 10 BEEELLION-transistor SPARC M7
New chip scales to 1024 cores, 8192 threads 64 TB RAM, at speeds over 3.6GHz
US regulators OK sale of IBM's x86 server biz to Lenovo
Now all that remains is for gov't offices to ban the boxes
Object storage bods Exablox: RAID is dead, baby. RAID is dead
Bring your own disks to its object appliances
Nimble's latest mutants GORGE themselves on unlucky forerunners
Crossing Sandy Bridges without stopping for breath
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.