HP admits to undocumented backdoors in two separate storage lines

Malicious hackers could exploit the backdoors into StoreOnce and StoreVirtual hardware to gain root access

HP has owned up to undocumented backdoors in members of its StoreOnce D2D Backup and StoreVirtual Storage product lines that can grant malicious hackers root access to the systems' OS. A fix for the HP StoreOnce D2D Backup Systems already exists; the company said it would deliver a patch for the StoreVirtual gear by July 17.

HP has credited security researcher Joshua Small (whose online handle is Technion) with disclosing the vulnerabilities, both of which stem from a mechanism for providing remote support. If a customer calls HP in need of assistance with an issue, the support rep can use a special login name and password to attain root access to the custom LeftHand OS. The problem is that a malicious hacker could get his or her hands on those credentials to break into an affected system and wreak havoc, such as erasing its contents.

Small summed up the flaw in the StoreOnce systems: "Open up your favourite SSH client, key in the IP of an HP D2D unit. Enter in yourself the username HPSupport, and the password which has a SHA1 of 78a7ecf065324604540ad3c41c3bb8fe1d084c50. Say hello to an administrative account you didn't know existed."

According to Small, more than 55 users responded to his warning, telling him they had broken the hash.

The vulnerability affects HP StoreOnce D2D Backup platforms running software version 2.2.17 or older and 1.2.17 or older. The company said it has released updates, 2.2.18 and 1.2.18, which IT shops should download and apply as soon as possible.

HP noted the issue does not affect HP StoreOnce Backup systems running version 3.0.0 or higher. "Devices running software version 3.0.0 or higher do not have an HPSupport user account with a pre-set password configured," according to the alert.

Companies seeking to update straight to 3.0.0 have their work cut out for them, according to The H: "The storage methods used in StoreOnce 3.x differ fundamentally from those used in previous systems. Before installing the new software, administrators wanting to upgrade will therefore first need to backup all data stored on their system and then restore it following the upgrade. For many customers, the patch for StoreOnce 2.x released on [July 7] may, therefore, represent a simpler short-term solution."

As for the StoreVirtual line, the issue affects hardware running LeftHand OS versions 10.5 and earlier. HP has warned that the systems "are equipped with a mechanism that allows HP support to access the underlying operating system if permission and access is provided by the customer. This functionality cannot be disabled today."

HP support staff uses "a challenge-response-based one-time password utility" to obtain that root access, according to the company. "The one-time password utility protects the root access to prevent repeated access to the system with the same pass phrase. Root access to the LeftHand OS does not provide access to the user data being stored on the system," according to the alert.

HP said that by July 17, it will roll out a patch that will allow customers to disable the support access. Once the patch is available, customers will need to upgrade their HP StoreVirtual systems. "HP Support may still request root access to customer systems in order to resolve certain support issues," according to the company.

This story, "HP admits to undocumented backdoors in two separate storage lines," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies