HP Promises To Cover StoreVirtual Storage Backdoor

For the second time in a month, HP has announced a patch for an easily-exploitable backdoor in one of its storage products.

The latest fix coming out of the troubled Silicon Valley firm is for its StoreVirtual appliances designed to support customers’ virtualised infrastructure. HP admitted the backdoor “could be remotely exploited to gain unauthorized access to the device”.

HP backdoors

“All HP StoreVirtual Storage systems are equipped with a mechanism that allows HP support to access the underlying operating system if permission and access is provided by the customer. This functionality cannot be disabled today,” the company said in an advisory.

“HP has acknowledged this vulnerability and will provide a patch that will allow customers to disable the support access mechanism on or before 17 July 2013.”

The firm said root access to the StoreVirtual operating system, LeftHand OS, was not granted to the user but HP support could get that level of access. The problem is that the “one-time” passwords used by HP support to gain root access can be easily guessed.

Fortunately for users, root access to the LeftHand OS “does not provide access to the user data being stored on the system”, although the urgency of HP’s fix suggests hackers with access could still cause plenty of trouble.

Towards the end of last month, HP pushed out a fix for its StoreOnce storage area networking (SAN) product.

The backdoor in that appliance allowed anyone to open up an SSH client, enter the IP address of a StoreOnce device and use the username HPSupport. All that was then needed was to guess the password, thought to have been very simple, to gain access to an admin account.

Details of the vulnerability were made public by Technion in June, before HP issued a patch.  Those running software version 3.0.0 or newer were not affected.

What do you know about Internet security? Find out with our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

3 hours ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

4 hours ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

5 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

7 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

10 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

10 hours ago