Categories: Security

HP warns on presence of backdoor in storage devices

HP publicly admitted the presence of backdoor in its StoreVirtual storage products designed to respond to the needs of virtualized environments.

HP publicly admitted the presence of backdoor in its storage products, in particular the company revealed the presence of an undocumented administrative account in the product family StoreVirtual designed to respond to the needs of virtualized environments.

The official security bulletin from HP Support is HPSBST02896 rev.1 – HP StoreVirtual Storage, Remote Unauthorized Access.

HP is revealed the presence of the backdoor and informed its clients that a patch will be released within July 17th, the discovery was made by the blogger known as Technion that recently issued information on  an undocumented backdoor in HP’s StoreOnce product. Technion found administrative password recoverable remotely by HP support.

“This vulnerability could be remotely exploited to gain unauthorized access to the device. “All HP StoreVirtual Storage systems are equipped with a mechanism that allows HP support to access the underlying operating system if permission and access is provided by the customer. This functionality cannot be disabled today.”

“HP has acknowledged this vulnerability and will provide a patch that will allow customers to disable the support access mechanism on or before July 17, 2013.” states the HP security advisory.

HP remarked that its storage appliances use the LeftHand OS which is not accessible to the end user (root access is blocked), a restricted access is available to the user via the HP StoreVirtual Command-Line Interface.

The root access is used by HP Support for customer support to resolve complex issues.

 “To facilitate these cases, a challenge-response-based one-time password utility is employed by HP Support to gain root access to systems when the customer has granted permission and network access to the system. The one-time password utility protects the root access to prevent repeated access to the system with the same pass phrase. Root access to the LeftHand OS does not provide access to the user data being stored on the system.”

The blogger revealed that the flaw seems to be company support backdoor left in the HP StoreVirtual SAN product family that is based on the Left Hand operating system.

What is concerning is that the backdoors appear to be dated to 2009, since then HP users have confirmed the backdoor’s presence to media such as The Register providing evidence of credentials that allow remote access to the storage devices. Another curious particular is that the password used for an undocumented administrative account doesn’t satisfy the password complexity tests, it seems that the credentials no use capital letters, numerals and symbols.

Technion identified two support forum posts that unequivocally demonstrate that lost admin passwords are resettable by HP.

“You will need to call support and they can get into the backed and reset it for you. 1-800-633-3600 ‘Lefthand Solutions’”. states one of the posts.

The other, posted by a LeftHand product manager in 2009 confirmed the possibility for a remote password reset: “

Call support. They can reset the password remotely.”

The good news is that HP announced that “Root access to the LeftHand OS does not provide access to the user data being stored on the system”.

Despite data theft is excluded by HP it must be considered that an attacker could to reboot nodes in a cluster with serious repercussions. In the following picture the list of HP devices containing the backdoor:

 

 

On June 2013 Security Week already published the news related the HP storages, it described the HP company’s confirmation of what it describes as a “potential security issue” follows the public disclosure that malicious hackers can use SSH access to perform full remote compromise of HP’s StoreOnce backup systems. In a statement issued to SecurityWeek, an HP spokesperson said a fix in the works.

“HP identified a potential security issue with older HP StoreOnce models. This does not impact StoreOnce systems with the current version 3.0 software, including the HP StoreOnce B6200 and HP StoreOnce VSA product offerings. HP takes security issues very seriously and is working actively on a fix. More information for customers will be made available within a few hours,” 

On an HP user on a support forum revealed that the vulnerability also allows the attacker to browse to “SMH » Security » Trusted Management Servers and import a certificate to trust another Systems Insight Manager box.

Certificates are used to establish the trust relationship between Systems Insight Manager or Insight Manager 7 and the System Management Homepage.

This is not the first time that researchers found a hardware backdoor for maintenance purpose in commercial products,  HP for example in December 2010 was cited by various security experts for a similar hardcoded backdoor in HP’s MSA2000 G3 modular storage array systems.

The practice of embedding hardcoded passwords is very risky because exposes customers to the offensive of hackers.

organizations need to look at everything that has a microprocessor, memory or an application/process running – these all have similar embedded credentials that represent significant organizational vulnerabilities. This further proves that “faith based security” – relying on vendors to provide systems with built-in robust security- is not a good practice.” said Shlomi Dinoor, Vice President emerging technologies at Cyber-Ark Software.

The security of any hardware is the resultant of security of each component they include, vendors have to carefully consider it.

Pierluigi Paganini

(Security Affairs – HP, backdoor)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

2 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

8 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

20 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

This website uses cookies.