A few weeks after admitting that it had put an administrative backdoor in its StoreOnce backup servers, HP has said it has a similar mechanism in its StoreVirtual storage systems that allows a remote user to access the operating system. The company said the function is meant for remote support use, but acknowledged that it could also be an attack vector.
The vulnerability exists in all of the HP StoreVirtual systems, and HP said that there is no way to disable the mechanism right now. The company plans to release a patch by July 17.
“A potential security vulnerability has been identified with the HP StoreVirtual Storage. This vulnerability could be remotely exploited to gain unauthorized access to the device,” the HP security advisory says.
“All HP StoreVirtual Storage systems are equipped with a mechanism that allows HP support to access the underlying operating system if permission and access is provided by the customer. This functionality cannot be disabled today.”
HP says that the remote access vulnerability is meant specifically to give support personnel the ability to access customer networks and StoreVirtual systems, after the customer has agreed and granted access. The mechanism includes the requirement for the use of a one-time password. HP also said that the support mechanism doesn’t grant access to user data stored on the system, but rather to the underlying operating system, called LeftHand OS.
“Root access may be requested by HP Support in some cases to help customers resolve complex support issues. To facilitate these cases, a challenge-response-based one-time password utility is employed by HP Support to gain root access to systems when the customer has granted permission and network access to the system. The one-time password utility protects the root access to prevent repeated access to the system with the same pass phrase. Root access to the LeftHand OS does not provide access to the user data being stored on the system,” the advisory says.
In June, HP released an advisory after a researcher posted details of the same kind of remote support access mechanism in its StoreOnce systems.
“A user who is logged in via the HPSupport user account does not have access to the data that has been backed up to the HP StoreOnce Backup system, and hence is not able to read or download the backed up data. However, it is possible to reset the device to factory defaults, and hence delete all backed up data that is present on the device,” that advisory says.
HP released an update to fix that vulnerability on Monday.
Image from Flickr photos of HPDeutschland.