For the second time in a month, Hewlett-Packard has been forced to admit it built secret backdoors into its enterprise storage products.
The admission, in a security bulletin posted July 9, confirms reports from the blogger Technion, who flagged the security issue in HP’s StoreOnce systems in June, before finding more backdoors in other HP storage and SAN products.
The most recent statement from HP, following another warning from Technion, admitted that “all HP StoreVirtual Storage systems are equipped with a mechanism that allows HP support to access the underlying operating system if permission and access is provided by the customer.”
While HP describes the backdoors as being usable only with permission of the customer, that restriction is part of HP’s own customer-service rules—not a limitation built in to limit use of backdoors. The entry points consist of a hidden administrator account with root access to StoreVirtual systems and software, and a separate copy of the LeftHand OS, the software that runs HP’s StoreVirtual and HP P4000 products.
Secret admin accounts have existed in HP storage products since at least 2009.
Even with root access, the secret admin account does not give support techs or hackers access to data stored on the HP machines, according to the company. But it does provide enough access and control over the hardware in a storage cluster to reboot specific nodes, which would “cripple the cluster,” according to information provided to The Register by an unnamed source.
The account also provides access to a factory-reset control that would allow intruders to destroy much of the data and configurations of a network of HP storage products. And it’s not hard to find: “Open up your favourite SSH client, key in the IP of an HP D2D unit. Enter in yourself the username HPSupport, and the password which has a SHA1 of 78a7ecf065324604540ad3c41c3bb8fe1d084c50. Say hello to an administrative account you didn’t know existed,” according to Technion, who claims to have attempted to notify HP for weeks with no result before deciding to go public.
The hash hiding the login “is easily brute-forced,” according to Technion, who noted in a later blog that more than 55 users have separately notified him they’d broken the hash. The backdoors are hidden in versions of the LeftHand OS v. 9.0 and higher. They have existed since at least 2009, according to The Register.
HP responded separately to the two most recent revelations, on July 8 and July 9. In the latter update, HP said the StoreVirtual backdoor is present only in versions of LeftHand 10.5 and higher, and that it will issue a patch by July 17 removing the account.
This isn’t the first time HP has been caught inserting backdoors into enterprise products without telling customers. In 2010 it was forced to admit a secret backdoor in its StorageWorks systems that could be accessed by anyone using the account name “admin” and password “!admin.”
Its solution at that time did not exemplify full-touch customer service: “If the ‘admin’ account raises a security concern, the ‘admin’ account password can be modified by using the Command Line Interface (CLI), through telnet or SSH, to change the default password,” the update read.
In December of 2010 the same backdoor, with the same username and password, was discovered in the HP MSA200 G3 storage arrays. The account and its password were hard-coded, making it impossible for customers to change or delete them, according to a SecurityWeek story at the time. In 2007 HP was found to have built backdoors into the BIOS in 23 models of laptop, as well.
The repetition of the same error suggests HP prefers to retain easy, insecure access to systems its customer-service reps might need to fix. “Vulnerabilities happen to everyone,” Technion wrote about HP’s apparent determination to keep re-installing the same backdoors. “Anyone [IT vendor] can have any number of issues… secret root accounts is not one of them. There’s no excuse for hating your users this much.”