Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

HP Issues Fix for Backdoor Vulnerability in StoreOnce Systems

HP’s security response team has released a fix to address the backdoor vulnerability in its StoreOnce backup systems disclosed late last month by an independent security researcher.

HP’s security response team has released a fix to address the backdoor vulnerability in its StoreOnce backup systems disclosed late last month by an independent security researcher.

HP released two software updates, one for HP StoreOnce D2D Backup platforms running software version 2.2.18 or later, and the other for HP StoreOnce D2D Backup platforms running software version 1.2.18 or later, according to the updated security advisory. “Customers will need to upgrade their affected HP StoreOnce Backup systems with the software update,” HP said.

HP StoreOnce Backdoor

Last month, an independent security researcher anonymously warned that an attacker could remotely log in to a vulnerable StoreOnce D2D Backup System with the username “HPSupport” and a password that was easy to brute-force. Shortly after the disclosure post went live, HP acknowledged a “potential security issue” in its security advisory and promised that a fix as soon as possible.

As SecurityWeek reported previously, HP said the problem existed only in older systems. The HPSupport account with the pre-set password did not exist on HP StoreOnce Backup systems running software version 3.0.0 or newer, according to the advisory. The researcher was not able to verify the claim, according to an email interview with SecurityWeek.

The public disclosure was necessary because the researcher had tried to work with HP’s security response team for three weeks but did not get anywhere. That seemed to do the trick, since after publishing the details, a different team at HP had reached out to the researcher who has been “quite communicative,” according to the email interview.

In HP’s advisory, the security team said the HPSupport user account does not have any access to the data that has been backed up to the HP StoreOnce Backup system, so the backed up data is safe from malicious activity. However, the team acknowledged the attacker could use the account to reset the system to factory defaults, which would wind up deleting all backed up data on the box.

The claim that anyone using the HPSupport user account will not be able to read or download the backup doesn’t appear to be quite accurate. “The claim backup data is unaccessible is false,” the researcher told SecurityWeek, citing a post on Bugtraq by another researcher Neusbeer who discovered the HPSupport user could change the administrator password.

The HPSupport backdoor account will allow the attacker to change the administrator password and then use the administrator login credentials to access the backup files over the Web-based interface, the researcher said.

When the security advisory first was posted, the researcher lamented that it was frustrating that HP’s Software Security Response Team had not responded to repeated queries for an update, and that the team had not credited anyone for reporting the issue. When HP updated the advisory with the software updates information, the company also credited the discovery of the vulnerability to Joshua Small.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.