Page 1 of 2
Hewlett-Packard on Wednesday said it has found a potential security issue in the software of its enterprise-class StoreOnce deduplication appliances.
HP said the security risk does not impact its latest HP StoreOnce deduplication appliances, and that a patch will be made available shortly for older models affected by the problem.
The potential storage security risk appears to have been brought to the attention of HP by a blogger who goes by the name "Technion."
Technion wrote that he discovered a backdoor into the StoreOnce software. Someone could key in the IP address of an HP StoreOnce appliance, key in "HPSupport" as the username, and input the password, which can be determined from a specific password hash.
The result? "Say hello to an administrative account you didn't know existed," he wrote.
Technion wrote that he tried contacting HP for "weeks," but received no response from the vendor.
"HP are working on their 'close your eyes and it might go away' approach," he wrote.
Vulnerabilities can happen to everyone, Technion wrote. "Anyone can have any number of issues. Secret root accounts is not one of them. There's no excuse for hating your users this much," he wrote.
When contacted by CRN, HP responded with a statement and a security bulletin.
The statement, attributed to an HP spokesperson, read, "HP identified a potential security issue with older HP StoreOnce models. This does not affect StoreOnce systems with the current version 3.0 software, including the HP StoreOnce B6200 and HP StoreOnce VSA product offerings. HP takes security issues very seriously and is working actively on a fix."
The statement also included a link to an HP security bulletin that said HP has identified a "potential security vulnerability" in the HP StoreOnce D2D (disk-to-disk) backup system.
"The vulnerability could be exploited remotely resulting in unauthorized access and modification. ... A user who is logged in via the HPSupport user account does not have access to the data that has been backed up to the HP StoreOnce Backup system, and hence is not able to read or download the backed up data. However, it is possible to reset the device to factory defaults, and hence delete all backed up data that is present on the device," HP wrote in the security bulletin.