Security Experts:

HP Confirms Backdoor In StoreOnce Backup Product Line

Security response personnel at HP are "actively working on a fix" for a potentially dangerous backdoor in older versions of its StoreOnce backup product line.

The company’s confirmation of what it describes as a “potential security issue” follows the public disclosure that malicious hackers can use SSH access to perform full remote compromise of HP’s StoreOnce backup systems.

According to the warning from an unidentified security researcher, an attacker can simply enter the username “HPSupport” and an easy-to-crack preset password to gain full administrative access to a vulnerable StoreOnce system. 

The SHA1 hash for the password was also published, putting pressure on HP to get a fix ready for affected customers. SecurityWeek has confirmed that it is relatively trivial to brute-force the hash to obtain the seven-character password.

HP StoreOnce BackdoorThe researcher said he opted to go public with the vulnerability -- and the tantalizing password hash -- because HP’s security response team was being tardy on addressing the issue.

In a statement issued to SecurityWeek, an HP spokesperson said a fix in the works.

“HP identified a potential security issue with older HP StoreOnce models. This does not impact StoreOnce systems with the current version 3.0 software, including the HP StoreOnce B6200 and HP StoreOnce VSA product offerings. HP takes security issues very seriously and is working actively on a fix. More information for customers will be made available within a few hours,” the company said in the statement.

*Update: At approximately 3PM ET on Wednesday, HP issued a security bulletin related to the Unauthorized Remote Access and Modification vulnerability, which was assigned CVE-2013-2342. According to the bulletin, impacted versions include HP StoreOnce D2D Backup platforms running software version 2.2.17 or older and 1.2.17 or older.

HP said that a software patch will be made available to customers on July 7, which will disable the undocumented HP Support user account.

“In the interim, customers who wish to disable the backdoor can contact HP support for assistance on this,” the advisory noted. “HP support personnel will provide the assistance to manually disable the HPSupport user account.”

The HP StoreOnce product, previously known as HP D2D, provides disk backup and recovery to small- to midsize businesses, large enterprises, remote offices and cloud service providers.

This is not the first time HP has struggled with backdoors in its enterprise-facing products. In December 2010, a similar hardcoded backdoor was discovered in HP's MSA2000 G3 modular storage array systems. 

“The practice of embedding hardcoded passwords, as demonstrated in this most recent HP storage device example, is not only commonplace, but extremely risky,” Shlomi Dinoor, Vice President emerging technologies at Cyber-Ark Software told SecurityWeek at the time. “So too is the practice of attempting to ship systems with ‘hidden’ admin users, but in this age of openness, nothing is hidden, and vendors should know that.

“In reality, organizations need to look at everything that has a microprocessor, memory or an application/process running – these all have similar embedded credentials that represent significant organizational vulnerabilities. This further proves that “faith based security” - relying on vendors to provide systems with built-in robust security- is not a good practice.” 

*Updated to include details on security advisory issued by HP

Ryan is the host of the podcast series "Security Conversations - a podcast with Ryan Naraine". He is the head of Kaspersky Lab's Global Research & Analysis team in the USA and has extensive experience in computer security user education, specializing in operating system and third-party application vulnerabilities, zero-day attacks, social engineering and social networking threats. Prior to joining Kaspersky Lab, he monitored security and hacker attack trends for over 10 years, writing for eWEEK magazine and the ZDNet Zero Day blog. Follow Ryan on Twitter @ryanaraine.