New backdoor in HP server products

July 12, 2013 – 10:05 PM

Computer manufacturer HP has admitted that its StoreVirtual servers also contain an undocumented backdoor. The security vulnerability risks allowing attackers to gain unauthorised access to the storage systems. The backdoor provides users with direct access to the holy of holies, “LeftHand” (the operating system for the StoreVirtual server). HP has previously marketed its StoreVirtual systems as LeftHand Storage and P4000 SAN. LeftHand OS was originally called SAN/iQ.

In a security advisory, HP stresses that, although the backdoor provides root access to the server, it does not provide access to the user data stored on the server system. HP is planning to provide a patch to permanently deactivate the backdoor by 17 July.

Late June saw the disclosure of the presence of a similar backdoor in HP backup servers. As with the company’s StoreOnce systems, this case revolves around undocumented administrator access. In an emergency – such as a need to reset the main password – this enabled HP staff to offer users the option of carrying out remote maintenance. As with StoreOnce, disclosure of the vulnerability is once again down to security researcher Joshua Small (known by his online pseudonym Technion).

The backdoor in StoreOnce systems only affected devices that had not yet been updated to version 3.x of the software, released in November 2012. According to HP, all second generation StoreOnce devices can be updated to StoreOnce 3.x – only the early StorageWorks D2D devices are unable to run this software. A list of affected systems can be found in the official advisory from HP.


You must be logged in to post a comment.