Security Experts:

Connect with us

Hi, what are you looking for?



HP Confirms Backdoor In StoreOnce Backup Product Line

Security response personnel at HP are “actively working on a fix” for a potentially dangerous backdoor in older versions of its StoreOnce backup product line.

Security response personnel at HP are “actively working on a fix” for a potentially dangerous backdoor in older versions of its StoreOnce backup product line.

The company’s confirmation of what it describes as a “potential security issue” follows the public disclosure that malicious hackers can use SSH access to perform full remote compromise of HP’s StoreOnce backup systems.

According to the warning from an unidentified security researcher, an attacker can simply enter the username “HPSupport” and an easy-to-crack preset password to gain full administrative access to a vulnerable StoreOnce system. 

The SHA1 hash for the password was also published, putting pressure on HP to get a fix ready for affected customers. SecurityWeek has confirmed that it is relatively trivial to brute-force the hash to obtain the seven-character password.

HP StoreOnce BackdoorThe researcher said he opted to go public with the vulnerability — and the tantalizing password hash — because HP’s security response team was being tardy on addressing the issue.

In a statement issued to SecurityWeek, an HP spokesperson said a fix in the works.

“HP identified a potential security issue with older HP StoreOnce models. This does not impact StoreOnce systems with the current version 3.0 software, including the HP StoreOnce B6200 and HP StoreOnce VSA product offerings. HP takes security issues very seriously and is working actively on a fix. More information for customers will be made available within a few hours,” the company said in the statement.

*Update: At approximately 3PM ET on Wednesday, HP issued a security bulletin related to the Unauthorized Remote Access and Modification vulnerability, which was assigned CVE-2013-2342. According to the bulletin, impacted versions include HP StoreOnce D2D Backup platforms running software version 2.2.17 or older and 1.2.17 or older.

HP said that a software patch will be made available to customers on July 7, which will disable the undocumented HP Support user account.

“In the interim, customers who wish to disable the backdoor can contact HP support for assistance on this,” the advisory noted. “HP support personnel will provide the assistance to manually disable the HPSupport user account.”

The HP StoreOnce product, previously known as HP D2D, provides disk backup and recovery to small- to midsize businesses, large enterprises, remote offices and cloud service providers.

This is not the first time HP has struggled with backdoors in its enterprise-facing products. In December 2010, a similar hardcoded backdoor was discovered in HP’s MSA2000 G3 modular storage array systems. 

“The practice of embedding hardcoded passwords, as demonstrated in this most recent HP storage device example, is not only commonplace, but extremely risky,” Shlomi Dinoor, Vice President emerging technologies at Cyber-Ark Software told SecurityWeek at the time. “So too is the practice of attempting to ship systems with ‘hidden’ admin users, but in this age of openness, nothing is hidden, and vendors should know that.

“In reality, organizations need to look at everything that has a microprocessor, memory or an application/process running – these all have similar embedded credentials that represent significant organizational vulnerabilities. This further proves that “faith based security” – relying on vendors to provide systems with built-in robust security- is not a good practice.” 

*Updated to include details on security advisory issued by HP

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet