HP has acknowledged a security issue with storage area networking equipment after reports surfaced about a hard-coded “back door” account.
Hewlett Packard said in a statement that it has identified a “potential security issue” with one of its storage area networking (SAN) products and is readying a fix for the issue.
The company was responding to published reports about the existence of a hard coded user name and password that could provide unknown assailants with administrative access to HP StorageWorks P2000 storage area networking (SAN) product.
The devices reportedly contain a administrative account, ‘admin,’ and password ‘!admin’ that are written into the device’s firmware and can be used to gain administrative access to the system, but do not show up in the user management interface for the P2000 and can’t be altered or deleted.
Hewlett Packard said the flaw, which it did not describe, does not affect its MSA line of storage solutions, as initially reported. HP said it has identified an “immediate fix” for the issue and is informing customers of the solution.
Hard coded “backdoor” user names and passwords have long been a dirty secret of the technology industry, but have become a sore issue for hardware and software vendors in recent months. The Stuxnet worm allegedly took advantage of a long known back door account in the WinCC industrial control software manufactured by Siemens. That company advised customers not to change that password even after news of the worm broke because doing so would make it impossible for the WinCC application to communicate with its database.
In November, Cisco issued a security alert that warned users of its Unified Videoconfernecing (UVC) products about the presence of three hard coded credentials in that product. Finally, on Wednesday, reports broke about a possible FBI-sanctioned backdoor in the OpenBSD operating system. Threatpost reported that developers who were involved in the creation of the operating system denied that any back doors were part of the code, but that such accusations are difficult to disprove, in any case.