Forgot your password?
typodupeerror
HP Data Storage Security IT

HP Confirms Backdoor In StoreOnce Backup Products 45

Posted by timothy
from the top-men-are-on-it dept.
wiredmikey writes "Security response personnel at HP are 'actively working on a fix' for a potentially dangerous backdoor in older versions of its StoreOnce backup product line. The company's confirmation of what it describes as a 'potential security issue' follows the public disclosure that malicious hackers can use SSH access to perform full remote compromise of HP's StoreOnce backup systems. The SHA1 hash for the password was also published, putting pressure on HP to get a fix ready for affected customers. SecurityWeek has confirmed that it is relatively trivial to brute-force the hash to obtain the seven-character password. The HP StoreOnce product, previously known as HP D2D, provides disk backup and recovery to small- to midsize businesses, large enterprises, remote offices and cloud service providers."
This discussion has been archived. No new comments can be posted.

HP Confirms Backdoor In StoreOnce Backup Products

Comments Filter:
  • instead of talking over a telephone maybe a group of peoples may have to look through billions of lines of coding to really fix this issue outside the halodeck...
  • WTF, HP? (Score:5, Insightful)

    by fuzzyfuzzyfungus (1223518) on Wednesday June 26, 2013 @01:00PM (#44114503) Journal

    So, can anybody think of a not-totally-shameful reason why HP's vendor service backdoor didn't use SSH's keypair auth? Y'know, the one where obtaining the private key just by having access to the public key baked into every unit isn't dangerously trivial?

    • by Anonymous Coward

      No.

      But I can think of several highly shameful reasons :-)

    • by Anonymous Coward

      So, can anybody think of a not-totally-shameful reason why HP's vendor service backdoor didn't use SSH's keypair auth?

      <voice type="whiny">But that's haaaard! We don't waaaaaanna!</voice>

  • When did the movie "War Games" come out?

    And people are still putting back doors into stuff?

    • by Anonymous Coward

      First, this is a product that should never, ever, ever be connected to a public network. The same goes for the SAN systems, some of the older ones of which also apparently had an undocumented default password. It's still sloppy and bad practice for that to be there, but any moron who connects a storage backup system like this to a public network and gets hacked deserves what they get, doing that would be beyond stupid to the point of actually being malicious. The same also goes for similar products from

  • by Anonymous Coward

    with rainbow tables and no salt it's almost the same as releasing the plaintext: badg3r5

  • by BLToday (1777712) on Wednesday June 26, 2013 @01:16PM (#44114703)

    That's the main entrance for the NSA.

  • badg3r5 (Score:5, Informative)

    by TheNinjaroach (878876) on Wednesday June 26, 2013 @01:17PM (#44114725)
    Google quickly lead me to the SHA1 of 78a7ecf065324604540ad3c41c3bb8fe1d084c50 and to a publicly available SHA1 reverse lookup [sha1-lookup.com] utility that already has the match in it.
  • I had a set of backups like that once. that's why I dumped NT 3.5

    • I have a massive write only drive that I would be willing to sell you room on.
      yourBackupFiles.tar.gz > /dev/null
  • by TechyImmigrant (175943) on Wednesday June 26, 2013 @01:33PM (#44114921) Journal

    >SecurityWeek has confirmed that it is relatively trivial to brute-force the hash to obtain the seven-character password.

    HP is on a low sodium diet, they didn't add salt.

    • by Baloroth (2370816)

      A salt does not increase security when cracking only a single password. They help with large sets of passwords, but brute forcing a single password takes the same time whether it is salted or not.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        As pointed out in other comments, the reverse lookup (i.e. rainbow table) is readily available for unsalted hashes.

        You make the mistake that to get a password requires brute force. People aren't stupid, they use the fastest tools available first. If google can tell you the password by simply entering the hash, then yes, it is LESS SECURE then one that is not readily available and REQUIRES brute force

        • Indeed. Properly salted, the brute force cost would be O(2^80). With rainbow tables, assuming your target is in your table dictionary, the cost is much much less.

  • HP (Score:5, Funny)

    by Anonymous Coward on Wednesday June 26, 2013 @01:43PM (#44115045)

    The best part of clicking on the link to TFA was the pop-over advertisement from HP that said "How secure is your code?"
    Way to go HP!

  • Some of the latest versions of HP P2000 SAN's have a built in service account enabed by default reachable through telnet/SSH that is totally hidden from the management GUI of the device.

    https://www.krystalmods.com/index.php?title=hp-msa-g3-array-hidden-admin-user&more=1&c=1&tb=1&pb=1 [krystalmods.com]

    HP eventually released an advisory about it suggesting you change the password.

    http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02662287 [hp.com]

  • The first is that it costs more than a king's ransom to buy and isn't that great when you do. So I guess that's three. Sorry.

  • it's sad to watch HP fall into ruins, but it seems that me that everything they touch turns into coal instead of gold. They used to build decent hardware. My brother owns an HP handheld from the time before the smartphone craze that had a stylus, Windows mobile (from the era when it actually used to work), a *shitload* of software and GPS. They acquired Compaq and the laptop I bought from them back in 2004 was built to last. Then they phased out all the Compaq products and the laptops they have been marketi

  • HP dataprotector was also on bugtraq a few weeks back with the software containing a "hardcoded" password... HP is security fail!

How much net work could a network work, if a network could net work?

Working...