HP’s security response team has released a fix to address the backdoor vulnerability in its StoreOnce backup systems disclosed late last month by an independent security researcher.
HP released two software updates, one for HP StoreOnce D2D Backup platforms running software version 2.2.18 or later, and the other for HP StoreOnce D2D Backup platforms running software version 1.2.18 or later, according to the updated security advisory. “Customers will need to upgrade their affected HP StoreOnce Backup systems with the software update,” HP said.
Last month, an independent security researcher anonymously warned that an attacker could remotely log in to a vulnerable StoreOnce D2D Backup System with the username “HPSupport” and a password that was easy to brute-force. Shortly after the disclosure post went live, HP acknowledged a “potential security issue” in its security advisory and promised that a fix as soon as possible.
As SecurityWeek reported previously, HP said the problem existed only in older systems. The HPSupport account with the pre-set password did not exist on HP StoreOnce Backup systems running software version 3.0.0 or newer, according to the advisory. The researcher was not able to verify the claim, according to an email interview with SecurityWeek.
The public disclosure was necessary because the researcher had tried to work with HP’s security response team for three weeks but did not get anywhere. That seemed to do the trick, since after publishing the details, a different team at HP had reached out to the researcher who has been “quite communicative,” according to the email interview.
In HP’s advisory, the security team said the HPSupport user account does not have any access to the data that has been backed up to the HP StoreOnce Backup system, so the backed up data is safe from malicious activity. However, the team acknowledged the attacker could use the account to reset the system to factory defaults, which would wind up deleting all backed up data on the box.
The claim that anyone using the HPSupport user account will not be able to read or download the backup doesn’t appear to be quite accurate. “The claim backup data is unaccessible is false,” the researcher told SecurityWeek, citing a post on Bugtraq by another researcher Neusbeer who discovered the HPSupport user could change the administrator password.
The HPSupport backdoor account will allow the attacker to change the administrator password and then use the administrator login credentials to access the backup files over the Web-based interface, the researcher said.
When the security advisory first was posted, the researcher lamented that it was frustrating that HP’s Software Security Response Team had not responded to repeated queries for an update, and that the team had not credited anyone for reporting the issue. When HP updated the advisory with the software updates information, the company also credited the discovery of the vulnerability to Joshua Small.
