HP storage: more possible backdoors
LeftHand, StoreVirtual remote reset suggests factory account
Technion, the blogger who recently turned up an undocumented back door in HP's StoreOnce, has turned up similar issues in other HP products - publicised on support forums by the company, but unnoticed at the time.
According to his trawling of various HP support forums, he has told The Register there appear to be company support backdoors in the company's StoreVirtual SAN products, based on the LeftHand operating system.
The hardware used to include a hard-reset button to set the factory defaults but this was removed as a security measure (that is, so insiders couldn't give themselves admin privileges to hardware they shouldn't access by resetting it). However, the solution seems to Technion no better: administrative password recovery is now carried out remotely by HP support.
That suggests the devices include an HP-accessible support account has been incorporated into the LeftHand 9.0 and higher code – and the accounts have existed since as far back as 2009.
As has been demonstrated many times over, any remotely-accessible login provides a potential attack vector, should the userid and password be discovered by attackers.
Both the support forum posts Technion identified (and contacted HP about) are unequivocal: lost admin passwords are resettable by HP. One, from November 2011, states: “You will need to call support and they can get into the backed and reset it for you. 1-800-633-3600 'Lefthand Solutions'”. The other, posted by a LeftHand product manager in 2009, states: “Call support. They can reset the password remotely.”
The Register contacted HP last week, and has today received this response: “HP takes seriously its responsibility of maintaining current security policies as a top priority for our customers. We are aware of a potential HP StoreVirtual security issue, and are actively working on a fix for our customers. Further information will be shared as soon as it is available.” ®