Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

HP Confirms Backdoor In StoreOnce Backup Product Line

Security response personnel at HP are “actively working on a fix” for a potentially dangerous backdoor in older versions of its StoreOnce backup product line.

Security response personnel at HP are “actively working on a fix” for a potentially dangerous backdoor in older versions of its StoreOnce backup product line.

The company’s confirmation of what it describes as a “potential security issue” follows the public disclosure that malicious hackers can use SSH access to perform full remote compromise of HP’s StoreOnce backup systems.

According to the warning from an unidentified security researcher, an attacker can simply enter the username “HPSupport” and an easy-to-crack preset password to gain full administrative access to a vulnerable StoreOnce system. 

The SHA1 hash for the password was also published, putting pressure on HP to get a fix ready for affected customers. SecurityWeek has confirmed that it is relatively trivial to brute-force the hash to obtain the seven-character password.

HP StoreOnce BackdoorThe researcher said he opted to go public with the vulnerability — and the tantalizing password hash — because HP’s security response team was being tardy on addressing the issue.

In a statement issued to SecurityWeek, an HP spokesperson said a fix in the works.

“HP identified a potential security issue with older HP StoreOnce models. This does not impact StoreOnce systems with the current version 3.0 software, including the HP StoreOnce B6200 and HP StoreOnce VSA product offerings. HP takes security issues very seriously and is working actively on a fix. More information for customers will be made available within a few hours,” the company said in the statement.

*Update: At approximately 3PM ET on Wednesday, HP issued a security bulletin related to the Unauthorized Remote Access and Modification vulnerability, which was assigned CVE-2013-2342. According to the bulletin, impacted versions include HP StoreOnce D2D Backup platforms running software version 2.2.17 or older and 1.2.17 or older.

HP said that a software patch will be made available to customers on July 7, which will disable the undocumented HP Support user account.

Advertisement. Scroll to continue reading.

“In the interim, customers who wish to disable the backdoor can contact HP support for assistance on this,” the advisory noted. “HP support personnel will provide the assistance to manually disable the HPSupport user account.”

The HP StoreOnce product, previously known as HP D2D, provides disk backup and recovery to small- to midsize businesses, large enterprises, remote offices and cloud service providers.

This is not the first time HP has struggled with backdoors in its enterprise-facing products. In December 2010, a similar hardcoded backdoor was discovered in HP’s MSA2000 G3 modular storage array systems. 

“The practice of embedding hardcoded passwords, as demonstrated in this most recent HP storage device example, is not only commonplace, but extremely risky,” Shlomi Dinoor, Vice President emerging technologies at Cyber-Ark Software told SecurityWeek at the time. “So too is the practice of attempting to ship systems with ‘hidden’ admin users, but in this age of openness, nothing is hidden, and vendors should know that.

“In reality, organizations need to look at everything that has a microprocessor, memory or an application/process running – these all have similar embedded credentials that represent significant organizational vulnerabilities. This further proves that “faith based security” – relying on vendors to provide systems with built-in robust security- is not a good practice.” 

*Updated to include details on security advisory issued by HP

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.