Back door in HP network storage solution - Update
HP's P2000 G3 MSA Storage Area Network (SAN) product contains an hidden and undocumented account with more privileges than the normal customisable account (manage:!manage). Apparently included for support purposes, the account (admin:!admin) is not visible in the user manager and can't be deleted or modified. It allows unauthorised users to access these systems and the data stored there.
When asked by a reader of heise Online, The H's associated publication in Germany, who came across the problem, HP's support team reportedly admitted that the account allows users to "modify the SAN's hardware settings and underlying operating system", and that it is therefore not intended for customer use.
HP has confirmed the problem and announced the release of a fix to solve it. Additionally, according to a post on SecurityFocus, users can change the password for the invisible user account using the command-line interface (CLI).
Update: HP says it has identified a potential security issue with the HP StorageWorks P2000 G3 MSA only. This does not impact HP’s entire MSA line of storage solutions. An immediate fix for this issue has been identified and customers are rapidly being informed of the solution.
- HP StorageWorks P2000 G3 MSA Array Systems-How to change additional Service Account password, a Hewlett Packard customer advisory.