Pierluigi Paganini July 12, 2013

HP publicly admitted the presence of backdoor in its StoreVirtual storage products designed to respond to the needs of virtualized environments.

HP publicly admitted the presence of backdoor in its storage products, in particular the company revealed the presence of an undocumented administrative account in the product family StoreVirtual designed to respond to the needs of virtualized environments.

The official security bulletin from HP Support is HPSBST02896 rev.1 – HP StoreVirtual Storage, Remote Unauthorized Access.

HP is revealed the presence of the backdoor and informed its clients that a patch will be released within July 17^th, the discovery was made by the blogger known as Technion that recently issued information on  an undocumented backdoor in HP’s StoreOnce product. Technion found administrative password recoverable remotely by HP support.

“This vulnerability could be remotely exploited to gain unauthorized access to the device. “All HP StoreVirtual Storage systems are equipped with a mechanism that allows HP support to access the underlying operating system if permission and access is provided by the customer. This functionality cannot be disabled today.”

“HP has acknowledged this vulnerability and will provide a patch that will allow customers to disable the support access mechanism on or before July 17, 2013.” states the HP security advisory.

HP remarked that its storage appliances use the LeftHand OS which is not accessible to the end user (root access is blocked), a restricted access is available to the user via the HP StoreVirtual Command-Line Interface.

The root access is used by HP Support for customer support to resolve complex issues.

 “To facilitate these cases, a challenge-response-based one-time password utility is employed by HP Support to gain root access to systems when the customer has granted permission and network access to the system. The one-time password utility protects the root access to prevent repeated access to the system with the same pass phrase. Root access to the LeftHand OS does not provide access to the user data being stored on the system.”

The blogger revealed that the flaw seems to be company support backdoor left in the HP StoreVirtual SAN product family that is based on the Left Hand operating system.

What is concerning is that the backdoors appear to be dated to 2009, since then HP users have confirmed the backdoor’s presence to media such as The Register providing evidence of credentials that allow remote access to the storage devices. Another curious particular is that the password used for an undocumented administrative account doesn’t satisfy the password complexity tests, it seems that the credentials no use capital letters, numerals and symbols.

Technion identified two support forum posts that unequivocally demonstrate that lost admin passwords are resettable by HP.

“You will need to call support and they can get into the backed and reset it for you. 1-800-633-3600 ‘Lefthand Solutions’”. states one of the posts.

The other, posted by a LeftHand product manager in 2009 confirmed the possibility for a remote password reset: “

Call support. They can reset the password remotely.”

The good news is that HP announced that “Root access to the LeftHand OS does not provide access to the user data being stored on the system”.

Despite data theft is excluded by HP it must be considered that an attacker could to reboot nodes in a cluster with serious repercussions. In the following picture the list of HP devices containing the backdoor:

On June 2013 Security Week already published the news related the HP storages, it described the HP company’s confirmation of what it describes as a “potential security issue” follows the public disclosure that malicious hackers can use SSH access to perform full remote compromise of HP’s StoreOnce backup systems. In a statement issued to SecurityWeek, an HP spokesperson said a fix in the works.

“HP identified a potential security issue with older HP StoreOnce models. This does not impact StoreOnce systems with the current version 3.0 software, including the HP StoreOnce B6200 and HP StoreOnce VSA product offerings. HP takes security issues very seriously and is working actively on a fix. More information for customers will be made available within a few hours,” 

On an HP user on a support forum revealed that the vulnerability also allows the attacker to browse to “SMH » Security » Trusted Management Servers and import a certificate to trust another Systems Insight Manager box.

Certificates are used to establish the trust relationship between Systems Insight Manager or Insight Manager 7 and the System Management Homepage.

This is not the first time that researchers found a hardware backdoor for maintenance purpose in commercial products,  HP for example in December 2010 was cited by various security experts for a similar hardcoded backdoor in HP’s MSA2000 G3 modular storage array systems.

The practice of embedding hardcoded passwords is very risky because exposes customers to the offensive of hackers.

“organizations need to look at everything that has a microprocessor, memory or an application/process running – these all have similar embedded credentials that represent significant organizational vulnerabilities. This further proves that “faith based security” – relying on vendors to provide systems with built-in robust security- is not a good practice.” said Shlomi Dinoor, Vice President emerging technologies at Cyber-Ark Software.

The security of any hardware is the resultant of security of each component they include, vendors have to carefully consider it.

Pierluigi Paganini

(Security Affairs – HP, backdoor)