Forgot your password?
typodupeerror
HP Security IT

Hidden Backdoor Discovered On HP MSA2000 Arrays 197

Posted by CmdrTaco
from the i'm-your-backdoor-man dept.
wiredmikey writes "A hardcoded password-related security vulnerability has been discovered which apparently affects every HP MSA2000 G3, a modular large scale storage array. According to the alert, a hidden user exists that doesn't show up in the user manager, and the password cannot be changed, creating a perfect 'backdoor' opportunity for an attacker to gain access to potentially sensitive information stored on the device, as well as systems it is connected to."
This discussion has been archived. No new comments can be posted.

Hidden Backdoor Discovered On HP MSA2000 Arrays

Comments Filter:
  • Wow... (Score:5, Funny)

    by Ethanol-fueled (1125189) * on Tuesday December 14, 2010 @05:21PM (#34552382) Homepage Journal

    The hard coded user and password in the HP MSA2000 is set to: username: admin

    password: !admin

    WaHAHAHAHAH! Not even "n9xe2uPAthe9" or even "Mr.Snuffles". And it is exactly the same as the very generic username, except for one extra character. It's almost as bad(or perhaps even worse) then using "123456" or even "password." [slashdot.org]

    This further proves that "faith based security" - relying on vendors to provide systems with built-in robust security- is not a good practice.

    Well...nah, I won't even go there. Too easy. I'm trying to be a good boy. Would somebody like to post a sysadmin's prayer for us?

    • Who would ever guess that the password for admin is "!admin" or "not admin?" Secure beyond belief!
    • Re:Wow... (Score:5, Funny)

      by mrsteveman1 (1010381) on Tuesday December 14, 2010 @05:27PM (#34552476)

      Yes but you've now seen the ! so it's NOT admin, we'll have to keep looking.

      Those HP guys are clever.

      • by DarkOx (621550)

        Its because whoever would use that login is obviously not the admin.

      • Re:Wow... (Score:5, Interesting)

        by pixelpusher220 (529617) on Tuesday December 14, 2010 @06:08PM (#34553242)
        On a serious note, with a user name of 'admin', would that prevent an actual user account being created with 'admin' as the name?

        Wonder if that might be a new check to run on vendor systems to weed out the truly stupid 'features' like this one. Run a script to create frequently used admin accounts and see if any fail due to them already existing.
      • To be fair, to use that login you have to go through a few steps:

        1. You have to be shrunk down and enter you own brain.
        2. Remove your common sense.
        3. Show the back door your admin and not admin.

      • by dave562 (969951)

        The only way they could have made it more secure would have been to use fnordadmin. Then it would have been REALLY obscured.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Anyone started testing other HP equipment for the same issue?

      Not familiar with the product in question, but it's possible a superuser account could have been embedded like this so they could reset data on RMA'd units without having to pull the chips... or for remote troubleshooting. That doesn't make it any less stupid, but if it's here there's no reason it couldn't exist in other similar products... or even not so similar ones.

      Probably worth checking if you have any HP gear in house, better safe than sorry

    • Some other examples (Score:3, Interesting)

      by Anonymous Coward

      Your point about relying on vendors is a superb one. Here's another data point to be concerned with.

      A lot of startups, and not-so-small companies, source their boxes from Asian manufacturers. This is generally known, and not a surprise. What may be a surprise is that not even the vendor who turns it into an server type of product is authorized to open the box. If they do, the warranty is voided. The top end boxes will go for +$15K a pop, so you can darn well be certain that the vendor doesn't open the syste

      • by h4rr4r (612664)

        We have servers that cost a lot more than that, we open them all the time.

      • by icebike (68054)

        What does opening the box have to do with backdoor passwords?

        I looked inside the case of my NAS recently, and didn't see any passwords. Does that mean I am safe?

        • by skarphace (812333)

          I looked inside the case of my NAS recently, and didn't see any passwords. Does that mean I am safe?

          You obviously aren't looking hard enough.

          • by bughunter (10093)

            Right. You have to turn the cover over and look at the underside.

            "Do not remove eraser."

      • by Dunbal (464142) *

        I can think of a half dozen vendors, who's names everyone recognizes,

              And who you utterly fail to mention - why? Are you afraid of being sued? It's not libel if it's true. Either that or you're full of shit.

    • by zill (1690130)

      "Mr.Snuffles"

      How did you find my password?

    • by idontgno (624372)
      Oh, yeah, that 80s group... "Admin (Not Admin)". I loved that song. [wikipedia.org]
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Would somebody like to post a sysadmin's prayer for us?

      Our Router, which art in IOS
      hallowed be thy interface
      thy packets come
      thy routing be done
      on the LAN as it is on the Web.
      Give us this day our daily Clues
      And forgive us our LARTings
      As we LART those who make stupid service requests
      And lead us not into Windows support
      but deliver us from lusers
      For thine is the Network
      The Bandwidth and the Packet
      For the duration of the DHCP lease.
      Amen

    • by afidel (530433)
      Except for the fact that this is called out in the admin guide and it's recommended that you change it. Of course I'm sure lots of people set them up without reading the guide (it's pretty thick) so they should probably have a wizard to change the default at first login like Brocade does.
  • by drsmack1 (698392) on Tuesday December 14, 2010 @05:25PM (#34552448)

    cntraltdelete

    If that is too long to type, you can use the shortcut keys on your keyboard. This HP thing goes deep. . . .

  • by tgd (2822) on Tuesday December 14, 2010 @05:36PM (#34552630)

    How about a nice game of chess?

  • by seebs (15766) on Tuesday December 14, 2010 @05:41PM (#34552732) Homepage

    Whenever you type '!admin' all I see is '******'. Whereas, if I type 'hunter2', all you see is '*******'.

    • by Stregano (1285764)
      pl3as3d0ntst3almyp4ssw0rd

      lets try this out
      • by Stregano (1285764)
        Wait a second...
      • by formfeed (703859)

        xxxxxxxxxxxxxxxxxxxxxxxxx

        lets try this out

        Wow, your password would take forever to crack.

        • by Stregano (1285764)
          on a real note, i always type in sentences for my passwords. single words and letters won't do it for me. even random letters, if the password is small enough, can be brute forced eventually. type in a sentence, and while you can crack it, it is much, much tougher. that is why every website i personally build has around a 50-100 character limit on passwords if not allowing for much longer ones
  • Not working here (Score:5, Informative)

    by jonathanhowell (673180) <jonathanhowell@y ... minus physicist> on Tuesday December 14, 2010 @05:46PM (#34552832)

    A quick login test on my MSA 2012i G3 doesn't work.

    "Access denied"

    more testing later.
    J

    • by kordaff (899913)
      Yeah I figured you wanted me to change that for ya, so i went ahead and did so.
      --
    • Send me your IP, I'll take a look.

    • Re:Not working here (Score:5, Informative)

      by jgtg32a (1173373) on Tuesday December 14, 2010 @06:12PM (#34553284)
      On the article some guy said it is only accessible through the serial port.
      • by MozeeToby (1163751) on Tuesday December 14, 2010 @06:22PM (#34553438)

        On the article some guy said it is only accessible through the serial port.

        Which kind of changes the whole tone in my opinion. I'm of the persuasion that if a black hat has physical access to your hardware, you've already lost. It's still shockingly bad practice from a vendor, but if this is true it goes from a serious issue to a moderate one.

        • Someone else had commented that it did work via web interface as well and didn't require a serial interface. Statement from HP should be coming soon.
      • by h4rr4r (612664)

        Then this is much less of an issue.

        If the attacker can get to the serial port they can just trash the thing if they want too.

        • by idontgno (624372)

          Unless someone put a dial-in modem or telnet-to-serial converter on the maintenance port. You know, for ease of oh-dark-thirty troubleshooting? I mean, rapid response to late-night network trouble calls.

          I've been a sysadmin at a largish installation. Maintenance modems aren't rare. You might hope the out-of-band command channels would be at least as secure as the in-band ones.

          • by h4rr4r (612664)

            Out of band is almost always worse. Which is why you should have the maintenance modem itself require strong passwords.

    • by yakatz (1176317)
      According to a comment [securityweek.com] on the original article:
      Try 'manage' as the username.
    • Re:Not working here (Score:5, Informative)

      by Necron69 (35644) <[jscott.farrow] [at] [gmail.com]> on Tuesday December 14, 2010 @07:19PM (#34554220)

      The array they mean is really the MSA P2000 G3, which is a new 8Gb/s fibre channel array. Note that the array is OEM'd from Dot Hill.

      I tried the 'exploit' on my array. Yes, I can log in with admin/!admin, and no, the admin account does not show up in the GUI listing. BTW, the "admin/!admin" combo was the default login on previous versions of this array, but for this version, the default account was changed to "manage". I'd guess this is a coding error, not some deliberate backdoor.

      The article is wrong that the password cannot be changed. You can change it just fine from the CLI:

      HP StorageWorks MSA Storage P2000 G3 FC
      System Name: MSA_P2000_1
      System Location:XXXXXXXXX
      Version:L100R013

      # set password admin
      Enter new password: ****
      Re-enter new password: ****
      Success: Command completed successfully. (admin) - The password was changed.

      Verified that login is no longer possible via web GUI or SSH. Problem solved.

      - Necron69

  • by Invisible Now (525401) on Tuesday December 14, 2010 @06:01PM (#34553122)

    Read the Cisco vulnerability report: root control of the device...

    Think where this teleconferencing suites are used: The Whitehouse, Pentagon, Central Command and every three star command...

    Who might want to lurk on some reality TV?

  • FEAR (Score:5, Insightful)

    by mysidia (191772) on Tuesday December 14, 2010 @06:27PM (#34553530)

    If someone disables the building's primary security system, defeats the lock on your front door, breaks in, when nobody's there, figures out where your MSA is, defeats your server room's dedicated primary alarm system, breaks through the steel fire door into your server room, defeating the ANSI GRADE 1 industrial access control locks, figures out the precise cage where your MSA2000 is located, defeats the cage locks, figures out the combination to open your cabinet, and somehow removes the faceplate without triggering the intrusion alarm, or motion detectors, noise sensors, and surveillance cameras attached to the server room's secondary security/environment monitoring system.

    Then yes... there is a small chance someone might be able to insert a serial connector into your MSA to login as this GUI-unavailable backdoor user without the perp getting caught pretty quickly.

    By the way, the 'password security' on many routers can be defeated by sending a BREAK via serial console during reboot, or by pushing a recessed RESET button. Where is the outrage?

    • by sumdumass (711423)

      Um.. You mean all they have to do is put on a set of blue coveralls, carry a small tool box with some sticker from one of the Ma Bells or even a printer manufacturer on the side, and claim he is there is complete some order started a month ago and we are all doomed?

      That's not very comforting.

  • Password:spyspyspyspy

Cobol programmers are down in the dumps.

Working...