Feeds

HP admits to backdoors in storage products

Usernames and passwords in the wild, factory resets possible

Build a business case: developing custom apps

Hewlett-Packard has agreed that there is an undocumented administrative account in its StoreVirtual products, and is promising a patch by 17 July.

The issue, which seems to have existed since 2009, was brought to the attention of The Register by Technion, the blogger who earlier published an undocumented backdoor in the company's StoreOnce products.

Since then, some HP users have confirmed the backdoors in e-mail to The Register, providing evidence of the account names and passwords that allow access to the devices. The Reg can report those credentials would not pass complexity tests required by many websites as they use no numerals, symbols or capital letters.

HP has now issued this security advisory, stating:

“This vulnerability could be remotely exploited to gain unauthorized access to the device.

“All HP StoreVirtual Storage systems are equipped with a mechanism that allows HP support to access the underlying operating system if permission and access is provided by the customer. This functionality cannot be disabled today.

“HP has acknowledged this vulnerability and will provide a patch that will allow customers to disable the support access mechanism on or before July 17, 2013.”

The company states that “Root access to the LeftHand OS does not provide access to the user data being stored on the system”.

Although data isn't accessible via the backdoor, one user with around 50 TB of StoreVirtual capacity said the account gave sufficient access to reboot nodes in a cluster, “and so cripple the cluster”.

“It lets you browse to "SMH » Security » Trusted Management Servers" though, ("Certificates are used to establish the trust relationship between Systems Insight Manager or Insight Manager 7 and the System Management Homepage.") You can use that to import a certificate to trust another Systems Insight Manager box,” said that user, who asked not to be identified.

And, of course, there's the "reset factory defaults" option, which would nuke all a user's data. ®

Endpoint data privacy in the cloud is easier than you think

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
prev story

Whitepapers

7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?