HP Keeps Installing Secret Backdoors In Enterprise Storage

Nerval's Lobster writes "For the second time in a month, Hewlett-Packard has been forced to admit it built secret backdoors into its enterprise storage products. The admission, in a security bulletin posted July 9, confirms reports from the blogger Technion, who flagged the security issue in HP's StoreOnce systems in June, before finding more backdoors in other HP storage and SAN products. The most recent statement from HP, following another warning from Technion, admitted that 'all HP StoreVirtual Storage systems are equipped with a mechanism that allows HP support to access the underlying operating system if permission and access is provided by the customer.' While HP describes the backdoors as being usable only with permission of the customer, that restriction is part of HP's own customer-service rules—not a limitation built in to limit use of backdoors. The entry points consist of a hidden administrator account with root access to StoreVirtual systems and software, and a separate copy of the LeftHand OS, the software that runs HP's StoreVirtual and HP P4000 products. Even with root access, the secret admin account does not give support techs or hackers access to data stored on the HP machines, according to the company. But it does provide enough access and control over the hardware in a storage cluster to reboot specific nodes, which would 'cripple the cluster,' according to information provided to The Register by an unnamed source. The account also provides access to a factory-reset control that would allow intruders to destroy much of the data and configurations of a network of HP storage products. And it's not hard to find: 'Open up your favourite SSH client, key in the IP of an HP D2D unit. Enter in yourself the username HPSupport, and the password which has a SHA1 of 78a7ecf065324604540ad3c41c3bb8fe1d084c50. Say hello to an administrative account you didn't know existed,' according to Technion, who claims to have attempted to notify HP for weeks with no result before deciding to go public."

Comment removed

[account_deleted]

Comment removed based on user account deletion

Eh?

[adolf]

The most recent statement from HP, following another warning from Technion, admitted that 'all HP StoreVirtual Storage systems are equipped with a mechanism that allows HP support to access the underlying operating system if permission and access is provided by the customer.' While HP describes the backdoors as being usable only with permission of the customer, that restriction is part of HP's own customer-service rulesâ"not a limitation built in to limit use of backdoors.

Without reading TFA, which I expect to be even more sensationalist crap:

I grok this to mean that a backdoor exists for customer service, which can be activated by a customer (by two factors: permission and network access), and that without action on the part of the customer, said backdoor is closed.

Did I miss something?

If so, please synopsize in non-sensationalist terms.

Indeed, whatever the case: Please post a not-purposefully-scary summary of the actual problem below, because right now it sounds a whole lot like the not-backdoor that Remote Assistance is under Windows.

Re:Slashdot Lameness... Deleted

[purpleidea]

The password you're looking for is badg3r5.

Yikes! That's not even a very good password.

This is a huge backdoor/security issue. This is another bit of proof that proprietary software is never okay.

Check out gluster instead maybe! All that's missing is a FreeBIOS.

Re:Slashdot Lameness... Deleted

[girlintraining]

This is a huge backdoor/security issue. This is another bit of proof that proprietary software is never okay.

If by "never" you mean "widely used", then I'm going to go with... nope. Here's the thing -- corporations are what buy most software. Corporations are willing to spend large piles of money on software. And corporations don't want security that cannot be defeated because a malicious person (or a perfectly ordinary employee with an asshole manager they want to get revenge on!) could disable it in a way it cannot be recovered from.

They pay massive amounts of money for support contracts that demand minimal downtime. There's nothing in that contract, or even a single fuck given, to security -- which is why you get convenient fast-recovery options like this... that have the "small" side effect of having giant unpatchable security holes in it. The worst of it is, the patch will probably take some custom (weak) hashing function that generates a unique password based on the serial number of the device... like so many other first responses many other vendors over the years have implimented... and then someone will figure out the hashing function and you'll have to run a 'keygen' then and probe the SNMP interface before doing the exact. same. goddamned. thing.

The balance between security and convenience has always slanted heavily towards convenience. Saying "proprietary software" is to blame for this is disengenuous at best. Open source software tends to be used by people who give at least half a fuck about security -- but look at the projects that have gone mainstream. Firefox, for example, and it's attaching NTFS AD streams to downloaded files (just like internet explorer!) and integration with internet options (just like internet explorer!) control panel... all to please their corporate overlords. Oh, and bonus -- you can't override it. So if your corporate overlords screw up, Firefox is just another target waiting to be exploited. And the list goes on. The reason why open source appears more secure is because the people who use it are somewhat more experienced. It has nothing to do with open source itself -- it is purely the people who are using it that have created a (albeit imperfect) culture of security around the products.

Re:Eh?

[Anonymous Coward]

Don't know about sensationalist but it is a call for Murphy's Law to remind them of their foolishness. One of the many ways in the computer world that "if something can go wrong, it will go wrong" is "if there is a backdoor in software, it will be found and/or leaked and it will be exploited". So yeah, nothing to see here, everyone grab their tin foil hats with blinders and move along and remember Keep It Simple, STUPID, just as your superiors and government overlords request/demand and don't worry, obscurity is effective isn't it?

Re:Why Multi-Level Security is So Important

[Anonymous Coward]

Public Internet? Really? That's all your concerned about? How about any business that requires auditable data access/manipulation and or is concerned in the least about insider threat? How about the ability of the mail clerk to nuke your entire storage array if he gets hacked off and decides to quit and leave a going away present. Outsider threats are the least of your concerns with a hole like this. But thanks for your brilliant security advice.

Re:badg3r5

[L4t3r4lu5]

I'm an IT manager in WI and the closest HP user support and sales agent is in Illinois

They definitely have people they don't let you talk to, and I'm betting those guys wrote this account into the software.

Re:badg3r5

[webmistressrachel]

Oh wait... I thought you were joking!

The SHA1 of "badg3r5" really is "78a7ecf065324604540ad3c41c3bb8fe1d084c50".

http://www.sha1-lookup.com/index.php?q=78a7ecf065324604540ad3c41c3bb8fe1d084c50 [sha1-lookup.com]

HP used "badgers" in leet-speak for an NSA backdoor? Smells like they wanted people to know, to me. Maybe they didn't like what they were supposed to be doing, and stuck their tongue firmly in cheek at the implementation stage? "Screw the NSA - we'll give them a back door if they want it so much - and we'll make it so that researchers find it easily, so our business isn't damaged in the long term ("If we wanted you data so much, we'd have done a better job of hiding it - blame your government")