Feeds

HP storage: more possible backdoors

LeftHand, StoreVirtual remote reset suggests factory account

Top 5 reasons to deploy VMware with Tegile

Technion, the blogger who recently turned up an undocumented back door in HP's StoreOnce, has turned up similar issues in other HP products - publicised on support forums by the company, but unnoticed at the time.

According to his trawling of various HP support forums, he has told The Register there appear to be company support backdoors in the company's StoreVirtual SAN products, based on the LeftHand operating system.

The hardware used to include a hard-reset button to set the factory defaults but this was removed as a security measure (that is, so insiders couldn't give themselves admin privileges to hardware they shouldn't access by resetting it). However, the solution seems to Technion no better: administrative password recovery is now carried out remotely by HP support.

That suggests the devices include an HP-accessible support account has been incorporated into the LeftHand 9.0 and higher code – and the accounts have existed since as far back as 2009.

As has been demonstrated many times over, any remotely-accessible login provides a potential attack vector, should the userid and password be discovered by attackers.

Both the support forum posts Technion identified (and contacted HP about) are unequivocal: lost admin passwords are resettable by HP. One, from November 2011, states: “You will need to call support and they can get into the backed and reset it for you. 1-800-633-3600 'Lefthand Solutions'”. The other, posted by a LeftHand product manager in 2009, states: “Call support. They can reset the password remotely.”

The Register contacted HP last week, and has today received this response: “HP takes seriously its responsibility of maintaining current security policies as a top priority for our customers. We are aware of a potential HP StoreVirtual security issue, and are actively working on a fix for our customers. Further information will be shared as soon as it is available.” ®

Beginner's guide to SSL certificates

More from The Register

next story
Ellison: Sparc M7 is Oracle's most important silicon EVER
'Acceleration engines' key to performance, security, Larry says
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Lenovo to finish $2.1bn IBM x86 server gobble in October
A lighter snack than expected – but what's a few $100m between friends, eh?
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
Troll hunter Rackspace turns Rotatable's bizarro patent to stone
News of the Weird: Screen-rotating technology declared unpatentable
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.