Backdoor in HP backup servers

According to security researcher Technion, SSH access is all that's required to remotely compromise HP StoreOnce backup systems. Entering the user name "HPSupport" and a preset password causes the system to open an undocumented administrator account.

StoreOnce backup systems are not low-end products: the version with twelve 1TB disks (with a usable capacity of 6TB) costs more than €12,000. The price premium compared to a normal server of this size is explained by the StoreOnce Catalyst software included with the server. According to HP, the product's deduplication functionality reduces the size of data backups by up to 95 per cent.

In his post disclosing the vulnerability, Technion complains that HP has spent three weeks stalling him rather than doing something about the vulnerability. He says that, given that HP is responsible for vulnerability broker Zero Day Initiative (ZDI), its behaviour is unacceptable. The ZDI does, however, give vendors 60 days to resolve vulnerabilities.

The disclosure is given added spice by Technion's decision to publish the SHA1 hash for the password for accessing the hidden administrator account. Hashes can be brute forced to obtain the actual password. It will not be long before the decrypted string is circulating on the usual forums. The password is just seven characters long and draws on a ten-year old meme.

Technion considers the StoreOnce security vulnerability to be inexcusable, especially given that HP was reported as having an identical security vulnerability in December 2010, when it was revealed that there was a hidden service account in its network storage solution StorageWorks P2000 G3. In that case, it was at least possible to change the password. Whether this is the case for StoreOnce systems is not yet known.

(sno)