Privacy is going out the window and Hewlett-Packard who recently admitted that they have built secret backdoors in its enterprise storage and SAN products. This was first discovered by Technion who found security issues in StorageOnce systems (previously known as HP D2D) which was later confirmed by HP. This was discovered in one of their StoreOnce unit and the instructions to access the backdoor is clearly pointed out over here.
This is the second time in a row within a month where the company was caught doing so. Even back in December 2010, the same backdoor existed with the same username and password which was discovered in HP MSA200 G3 storage array and according to Security Week, there is no way for customers to alter the username and password. HP has been found using backdoors in the BIOS since 2007 including 23 notebooks. They justified by saying its easier for their customer service reps to gain a complete access to fix customer’s systems. But Technion said,”Anyone can have any number of issues… secret root accounts are not one of them. There’s no excuse for hating your users this much.”
The company issued a statement in its security bulletin:
“A potential security vulnerability has been identified with the HP StoreVirtual Storage. This vulnerability could be remotely exploited to gain unauthorized access to the device.
All StoreVirtual Storage systems are equipped with a mechanism that allows HP support to access the underlying operating system if permission and access is provided by the customer. This functionality cannot be disabled today.
HP has acknowledged this vulnerability and will provide a patch that will allow customers to disable the support access mechanism on or before July 17, 2013.
HP StoreVirtual products are storage appliances that use a custom operating system, LeftHand OS, which is not accessible to the end user. Limited access is available to the user via the StoreVirtual Command-Line Interface (CLiQ) however root access is blocked.
Root access may be requested by Support in some cases to help customers resolve complex support issues. To facilitate these cases, a challenge-response-based one-time password utility is employed by HP Support to gain root access to systems when the customer has granted permission and network access to the system. The one-time password utility protects the root access to prevent repeated access to the system with the same pass phrase. Root access to the LeftHand OS does not provide access to the user data being stored on the system.”