New backdoor in HP server products
Computer manufacturer HP has admitted that its StoreVirtual servers also contain an undocumented backdoor. The security vulnerability risks allowing attackers to gain unauthorised access to the storage systems. The backdoor provides users with direct access to the holy of holies, "LeftHand" (the operating system for the StoreVirtual server). HP has previously marketed its StoreVirtual systems as LeftHand Storage and P4000 SAN. LeftHand OS was originally called SAN/iQ.
In a security advisory, HP stresses that, although the backdoor provides root access to the server, it does not provide access to the user data stored on the server system. HP is planning to provide a patch to permanently deactivate the backdoor by 17 July.
Late June saw the disclosure of the presence of a similar backdoor in HP backup servers. As with the company's StoreOnce systems, this case revolves around undocumented administrator access. In an emergency – such as a need to reset the main password – this enabled HP staff to offer users the option of carrying out remote maintenance. As with StoreOnce, disclosure of the vulnerability is once again down to security researcher Joshua Small (known by his online pseudonym Technion).
The backdoor in StoreOnce systems only affected devices that had not yet been updated to version 3.x of the software, released in November 2012. According to HP, all second generation StoreOnce devices can be updated to StoreOnce 3.x – only the early StorageWorks D2D devices are unable to run this software. A list of affected systems can be found in the official advisory from HP.
The storage methods used in StoreOnce 3.x differ fundamentally from those used in previous systems. Before installing the new software, administrators wanting to upgrade will therefore first need to backup all data stored on their system and then restore it following the upgrade. For many customers, the patch for StoreOnce 2.x released on 7 July may, therefore, represent a simpler short-term solution. Joshua Small has tested this patch and confirms that it does indeed deactivate the hidden HPSupport account.
Small unilaterally disclosed the StoreOnce security vulnerability out of pure frustration, also revealing the name of the support account and the SHA-1 hash of the password. Hackers would have made short work of cracking the actual password, which was only seven characters long. Prior to this disclosure, Small had spent several weeks vainly trying to wake HP up to the seriousness of the security vulnerability. HP, however, waited for the vulnerability to be disclosed before finally reacting.
HP proved a lot more open when Small contacted it about the backdoors in its StoreVirtual servers, and Small consequently held back from immediate disclosure. The administrator backdoor has been part of LeftHand OS since at least 2009. Once again, the account appears to have a fixed user name and password.