HP Confirms Backdoor In StoreOnce Backup Products

wiredmikey writes "Security response personnel at HP are 'actively working on a fix' for a potentially dangerous backdoor in older versions of its StoreOnce backup product line. The company's confirmation of what it describes as a 'potential security issue' follows the public disclosure that malicious hackers can use SSH access to perform full remote compromise of HP's StoreOnce backup systems. The SHA1 hash for the password was also published, putting pressure on HP to get a fix ready for affected customers. SecurityWeek has confirmed that it is relatively trivial to brute-force the hash to obtain the seven-character password. The HP StoreOnce product, previously known as HP D2D, provides disk backup and recovery to small- to midsize businesses, large enterprises, remote offices and cloud service providers."

hands of skills

[mostadorthsander]

instead of talking over a telephone maybe a group of peoples may have to look through billions of lines of coding to really fix this issue outside the halodeck...

WTF, HP?

[fuzzyfuzzyfungus]

So, can anybody think of a not-totally-shameful reason why HP's vendor service backdoor didn't use SSH's keypair auth? Y'know, the one where obtaining the private key just by having access to the public key baked into every unit isn't dangerously trivial?

Re:

[Anonymous Coward]

No.

But I can think of several highly shameful reasons :-)

Re:

[Anonymous Coward]

So, can anybody think of a not-totally-shameful reason why HP's vendor service backdoor didn't use SSH's keypair auth?

<voice type="whiny">But that's haaaard! We don't waaaaaanna!</voice>

This is still going on ?

[ggraham412]

When did the movie "War Games" come out?

And people are still putting back doors into stuff?

Re:

[Anonymous Coward]

First, this is a product that should never, ever, ever be connected to a public network. The same goes for the SAN systems, some of the older ones of which also apparently had an undocumented default password. It's still sloppy and bad practice for that to be there, but any moron who connects a storage backup system like this to a public network and gets hacked deserves what they get, doing that would be beyond stupid to the point of actually being malicious. The same also goes for similar products from

rainbow tables

[Anonymous Coward]

with rainbow tables and no salt it's almost the same as releasing the plaintext: badg3r5

Re:

[ArcadeMan]

badg3r5 [youtube.com]?

Re:

[ArcadeMan]

And the desktop link requires Flash, which is why I linked to the mobile version.

Re:

[fnj]

On the other hand, the Flash version actually WORKS on my system. The mobile one does not.

Re:

[ArcadeMan]

On the other hand, the Flash version doesn't work on mine but the mobile one does.

Re:

[fnj]

The difference is, your system is stupid!! :-) Relax, I'm only kidding. There needs to be a standard that works on BOTH our systems.

That's not a backdoor,

[BLToday]

That's the main entrance for the NSA.

Re:

[tqk]

Yeah. The thing to remember is that the NSA is as interested in protecting US interests ...

Yeah (*cough*Edward Snowden*cough*), right.

Re:

[lightknight]

As do many programmers, usually when they're in the bath tub, just for fun. Now, whether those techniques stand up to the scrutiny of a major dedicated code-breaker is a different discussion.

badg3r5

[TheNinjaroach]

Google quickly lead me to the SHA1 of 78a7ecf065324604540ad3c41c3bb8fe1d084c50 and to a publicly available SHA1 reverse lookup [sha1-lookup.com] utility that already has the match in it.

Re:badg3r5

[citizenr]

Go badg3r5!

Re:badg3r5

[Anonymous Coward]

I guess the HP patch, upgrades the string to f3bbbd66a63d4bf1747940578ec3d0103530e21d.

Re:

[oPless]

Mod parent up.

I almost wet myself. ******* indeed!

StoreOnce... is that the same as write-only?

[swschrad]

I had a set of backups like that once. that's why I dumped NT 3.5

Re:

[stewsters]

I have a massive write only drive that I would be willing to sell you room on.
yourBackupFiles.tar.gz > /dev/null

HP is on a Low Sodium Diet

[TechyImmigrant]

>SecurityWeek has confirmed that it is relatively trivial to brute-force the hash to obtain the seven-character password.

HP is on a low sodium diet, they didn't add salt.

Re:

[Baloroth]

A salt does not increase security when cracking only a single password. They help with large sets of passwords, but brute forcing a single password takes the same time whether it is salted or not.

Re:

[Anonymous Coward]

As pointed out in other comments, the reverse lookup (i.e. rainbow table) is readily available for unsalted hashes.

You make the mistake that to get a password requires brute force. People aren't stupid, they use the fastest tools available first. If google can tell you the password by simply entering the hash, then yes, it is LESS SECURE then one that is not readily available and REQUIRES brute force

Re:

[TechyImmigrant]

Indeed. Properly salted, the brute force cost would be O(2^80). With rainbow tables, assuming your target is in your table dictionary, the cost is much much less.

HP

[Anonymous Coward]

The best part of clicking on the link to TFA was the pop-over advertisement from HP that said "How secure is your code?"
Way to go HP!

At least its not an undocumented default account.

[Anonymous Coward]

Some of the latest versions of HP P2000 SAN's have a built in service account enabed by default reachable through telnet/SSH that is totally hidden from the management GUI of the device.

https://www.krystalmods.com/index.php?title=hp-msa-g3-array-hidden-admin-user&more=1&c=1&tb=1&pb=1 [krystalmods.com]

HP eventually released an advisory about it suggesting you change the password.

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02662287 [hp.com]

Re:

[lightknight]

Lol. To a businessman's ears, it means "no" security issue; to a network admin's ears, it means "they're already in your database, copying your tables, and leaving lewd comments about your tastes in desktop managers."

Second reason not to use this product

[Karl Cocknozzle]

The first is that it costs more than a king's ransom to buy and isn't that great when you do. So I guess that's three. Sorry.

a bit offtopic, but..

[excelsior_gr]

it's sad to watch HP fall into ruins, but it seems that me that everything they touch turns into coal instead of gold. They used to build decent hardware. My brother owns an HP handheld from the time before the smartphone craze that had a stylus, Windows mobile (from the era when it actually used to work), a *shitload* of software and GPS. They acquired Compaq and the laptop I bought from them back in 2004 was built to last. Then they phased out all the Compaq products and the laptops they have been marketi

2nd HP fail

[Max DollarCash]

HP dataprotector was also on bugtraq a few weeks back with the software containing a "hardcoded" password... HP is security fail!