HP closes StoreVirtual backdoor, slings key
Factory account still present, now requires one-time password
Hewlett-Packard has issued a patch for the StoreVirtual vulnerability under which an undocumented factory account existed in a number of products running its LeftHand (or SAN iQ) software older than version 10.5.
The latest patch, available here, identifies 21 affected products, including Dell's PowerEdge 2950 and the IBM System x3650, to which the patch should be applied.
In both the StoreOnce and StoreVirtual products, the factory accounts were intended for support use. However, as Technion pointed out to Vulture South, if the accounts had fixed passwords and those passwords became known, any system visible to the Internet would be vulnerable to unauthorised remote access.
The patch now protects the factory accounts with a challenge-response-based one-time password. ®