HP Promises To Cover StoreVirtual Storage Backdoor

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

For the second time in a month, HP squeezes out a fix for a backdoor in one of its storage products

For the second time in a month, HP has announced a patch for an easily-exploitable backdoor in one of its storage products.

The latest fix coming out of the troubled Silicon Valley firm is for its StoreVirtual appliances designed to support customers’ virtualised infrastructure. HP admitted the backdoor “could be remotely exploited to gain unauthorized access to the device”.

HP backdoors

HP Discover Meg Whitman“All HP StoreVirtual Storage systems are equipped with a mechanism that allows HP support to access the underlying operating system if permission and access is provided by the customer. This functionality cannot be disabled today,” the company said in an advisory.

“HP has acknowledged this vulnerability and will provide a patch that will allow customers to disable the support access mechanism on or before 17 July 2013.”

The firm said root access to the StoreVirtual operating system, LeftHand OS, was not granted to the user but HP support could get that level of access. The problem is that the “one-time” passwords used by HP support to gain root access can be easily guessed.

Fortunately for users, root access to the LeftHand OS “does not provide access to the user data being stored on the system”, although the urgency of HP’s fix suggests hackers with access could still cause plenty of trouble.

Towards the end of last month, HP pushed out a fix for its StoreOnce storage area networking (SAN) product.

The backdoor in that appliance allowed anyone to open up an SSH client, enter the IP address of a StoreOnce device and use the username HPSupport. All that was then needed was to guess the password, thought to have been very simple, to gain access to an admin account.

Details of the vulnerability were made public by Technion in June, before HP issued a patch.  Those running software version 3.0.0 or newer were not affected.

What do you know about Internet security? Find out with our quiz!