Hidden Backdoor Discovered On HP MSA2000 Arrays 197
wiredmikey writes "A hardcoded password-related security vulnerability has been discovered which apparently affects every HP MSA2000 G3, a modular large scale storage array. According to the alert, a hidden user exists that doesn't show up in the user manager, and the password cannot be changed, creating a perfect 'backdoor' opportunity for an attacker to gain access to potentially sensitive information stored on the device, as well as systems it is connected to."
Re:Ok so two things (Score:5, Interesting)
One would assume that you would hardcode it so if the user loses his password, he can call the company. And trust me, they WILL lose their password.
One would hope that the password is put somewhere that a firmware flash can change it however.
Re:Wow... (Score:2, Interesting)
Anyone started testing other HP equipment for the same issue?
Not familiar with the product in question, but it's possible a superuser account could have been embedded like this so they could reset data on RMA'd units without having to pull the chips... or for remote troubleshooting. That doesn't make it any less stupid, but if it's here there's no reason it couldn't exist in other similar products... or even not so similar ones.
Probably worth checking if you have any HP gear in house, better safe than sorry.
Some other examples (Score:3, Interesting)
Your point about relying on vendors is a superb one. Here's another data point to be concerned with.
A lot of startups, and not-so-small companies, source their boxes from Asian manufacturers. This is generally known, and not a surprise. What may be a surprise is that not even the vendor who turns it into an server type of product is authorized to open the box. If they do, the warranty is voided. The top end boxes will go for +$15K a pop, so you can darn well be certain that the vendor doesn't open the system.
This is a superb opportunity for Chinese manufacturers to put in a back door to an embedded server product. I can think of a half dozen vendors, who's names everyone recognizes, which do this.
Good luck on securing that.
Re:Looks like a big "fuck you" to Uncle Sam. (Score:5, Interesting)
Don't we hear every so often about how the US government wants backdoors into otherwise secure systems and crypto algorithms for "national security" or "law enforcement" purposes? I suspect that the MSA2000 was required to have a backdoor to appease Uncle Sam, and somebody at HP decided that if Uncle Sam wanted a backdoor, Uncle Sam could damn well have a goate.cx-esque backdoor.
Exactly! What happened was that they used this type of storage array to hold data on the 9/11 cover-up, and also to edit the footage of the "moon landing". Also the specs for their black surveillance whisper copters.
Or someone at HP is a moron.
Re:Wow... (Score:5, Interesting)
Wonder if that might be a new check to run on vendor systems to weed out the truly stupid 'features' like this one. Run a script to create frequently used admin accounts and see if any fail due to them already existing.
Re:Looks like a big "fuck you" to Uncle Sam. (Score:4, Interesting)
Its probably nothing like that. Some idiot on the service side of the house probably convinced some VP that a backdoor was needed so the support people could deal with customers who had lost the passwords or when they had to refurbish and RMA and wanted to be lazy and not have to replace any chips or flash the thing or whatever. That VP then made the software team add the backdoor. I think on the MSA15000 there is a check the make sure the password does not match the user name, which I might have run across when familiarizing myself with it with it prior to deployment. They developers probably wanted to make the password match the user name (its hidden after all) but also did not want to run into that test code somewhere even with the hard coded value.
That being said, admin was an aggressively stupid choice and hard coded back doors at least rank as very stupid to begin with.