HP Storage Hardware Harbors Secret Back Door

Author: Paul Roberts
minute read

HP has acknowledged a security issue with storage area networking equipment after reports surfaced about a hard-coded “back door” account.

HP has acknowledged a security issue with storage area networking equipment after reports surfaced about a hard-coded “back door” account.

Hewlett Packard said in a statement that it has identified a “potential security issue” with one of its storage area networking (SAN) products and is readying a fix for the issue.

The company was responding to published reports about the existence of a hard coded user name and password that could provide unknown assailants with administrative access to HP StorageWorks P2000 storage area networking (SAN) product.

The devices reportedly contain a administrative account, ‘admin,’ and password ‘!admin’ that are written into the device’s firmware and can be used to gain administrative access to the system, but do not show up in the user management interface for the P2000 and can’t be altered or deleted.

Hewlett Packard said the flaw, which it did not describe, does not affect its MSA line of storage solutions, as initially reported. HP said it has identified an “immediate fix” for the issue and is informing customers of the solution.

Hard coded “backdoor” user names and passwords have long been a dirty secret of the technology industry, but have become a sore issue for hardware and software vendors in recent months. The Stuxnet worm allegedly took advantage of a long known back door account in the WinCC industrial control software manufactured by Siemens. That company advised customers not to change that password even after news of the worm broke because doing so would make it impossible for the WinCC application to communicate with its database.

In November, Cisco issued a security alert that warned users of its Unified Videoconfernecing (UVC) products about the presence of three hard coded credentials in that product. Finally, on Wednesday, reports broke about a possible FBI-sanctioned backdoor in the OpenBSD operating system. Threatpost reported that developers who were involved in the creation of the operating system denied that any back doors were part of the code, but that such accusations are difficult to disprove, in any case.

Suggested articles

Cybersecurity for your growing business
Cybersecurity for your growing business

Topics

Show all

Authors

Threatpost

InfoSec Insider

Infosec Insider Post

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Content

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.