Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

HP Issues Fix for Backdoor Vulnerability in StoreOnce Systems

HP’s security response team has released a fix to address the backdoor vulnerability in its StoreOnce backup systems disclosed late last month by an independent security researcher.

HP’s security response team has released a fix to address the backdoor vulnerability in its StoreOnce backup systems disclosed late last month by an independent security researcher.

HP released two software updates, one for HP StoreOnce D2D Backup platforms running software version 2.2.18 or later, and the other for HP StoreOnce D2D Backup platforms running software version 1.2.18 or later, according to the updated security advisory. “Customers will need to upgrade their affected HP StoreOnce Backup systems with the software update,” HP said.

HP StoreOnce Backdoor

Last month, an independent security researcher anonymously warned that an attacker could remotely log in to a vulnerable StoreOnce D2D Backup System with the username “HPSupport” and a password that was easy to brute-force. Shortly after the disclosure post went live, HP acknowledged a “potential security issue” in its security advisory and promised that a fix as soon as possible.

As SecurityWeek reported previously, HP said the problem existed only in older systems. The HPSupport account with the pre-set password did not exist on HP StoreOnce Backup systems running software version 3.0.0 or newer, according to the advisory. The researcher was not able to verify the claim, according to an email interview with SecurityWeek.

The public disclosure was necessary because the researcher had tried to work with HP’s security response team for three weeks but did not get anywhere. That seemed to do the trick, since after publishing the details, a different team at HP had reached out to the researcher who has been “quite communicative,” according to the email interview.

In HP’s advisory, the security team said the HPSupport user account does not have any access to the data that has been backed up to the HP StoreOnce Backup system, so the backed up data is safe from malicious activity. However, the team acknowledged the attacker could use the account to reset the system to factory defaults, which would wind up deleting all backed up data on the box.

The claim that anyone using the HPSupport user account will not be able to read or download the backup doesn’t appear to be quite accurate. “The claim backup data is unaccessible is false,” the researcher told SecurityWeek, citing a post on Bugtraq by another researcher Neusbeer who discovered the HPSupport user could change the administrator password.

The HPSupport backdoor account will allow the attacker to change the administrator password and then use the administrator login credentials to access the backup files over the Web-based interface, the researcher said.

When the security advisory first was posted, the researcher lamented that it was frustrating that HP’s Software Security Response Team had not responded to repeated queries for an update, and that the team had not credited anyone for reporting the issue. When HP updated the advisory with the software updates information, the company also credited the discovery of the vulnerability to Joshua Small.

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.