Slashdot Mirror
Hidden Backdoor Discovered On HP MSA2000 Arrays
wiredmikey writes "A hardcoded password-related security vulnerability has been discovered which apparently affects every HP MSA2000 G3, a modular large scale storage array. According to the alert, a hidden user exists that doesn't show up in the user manager, and the password cannot be changed, creating a perfect 'backdoor' opportunity for an attacker to gain access to potentially sensitive information stored on the device, as well as systems it is connected to."
The hard coded user and password in the HP MSA2000 is set to: username: admin
password: !admin
WaHAHAHAHAH! Not even "n9xe2uPAthe9" or even "Mr.Snuffles". And it is exactly the same as the very generic username, except for one extra character. It's almost as bad(or perhaps even worse) then using "123456" or even "password."
This further proves that "faith based security" - relying on vendors to provide systems with built-in robust security- is not a good practice.
Well...nah, I won't even go there. Too easy. I'm trying to be a good boy. Would somebody like to post a sysadmin's prayer for us?
Oh wait...
Humor from a Genetically Molested Mind
cntraltdelete
If that is too long to type, you can use the shortcut keys on your keyboard. This HP thing goes deep. . . .
Humor from a Genetically Molested Mind
How about a nice game of chess?
1) Why the hell would any manufacturer hard code ANY passwords or users and
2) Just how many of these systems are out there, in which areas of the private & public sectors?
Just a while back, kernel.org got some infrastructure upgrades, including two HP MSA70s. Hopefully this invisible user account doesn't affect their boxen, seeing how they're a different (but similar) model number.
HP to blame for WikiLeaks?
Uhhh....your Ameriphobia is showing. When all you do all day is think about how America is bad, then it's not surprising when you invent scenarios in which you are correct. I am reminded of the Baptist preacher who thinks that every time someone gets an STD, it must be the work of Satan.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
Whenever you type '!admin' all I see is '******'. Whereas, if I type 'hunter2', all you see is '*******'.
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
aren't all passwords supposed to be "encrypted" ?
In this case, it's hoped that competitors to Uncle Sam's campaign contributors buy this storage array for cheap and easy industrial espionage. It's not about national security or law enforcement, it's ensuring US companies can exercise their right to make a profit. If it involves hacking into a competitor's system and downloading all their data, even better. No one would suspect their disk array!
Your point about relying on vendors is a superb one. Here's another data point to be concerned with.
A lot of startups, and not-so-small companies, source their boxes from Asian manufacturers. This is generally known, and not a surprise. What may be a surprise is that not even the vendor who turns it into an server type of product is authorized to open the box. If they do, the warranty is voided. The top end boxes will go for +$15K a pop, so you can darn well be certain that the vendor doesn't open the system.
This is a superb opportunity for Chinese manufacturers to put in a back door to an embedded server product. I can think of a half dozen vendors, who's names everyone recognizes, which do this.
Good luck on securing that.
Don't we hear every so often about how the US government wants backdoors into otherwise secure systems and crypto algorithms for "national security" or "law enforcement" purposes? I suspect that the MSA2000 was required to have a backdoor to appease Uncle Sam, and somebody at HP decided that if Uncle Sam wanted a backdoor, Uncle Sam could damn well have a goate.cx-esque backdoor.
Exactly! What happened was that they used this type of storage array to hold data on the 9/11 cover-up, and also to edit the footage of the "moon landing". Also the specs for their black surveillance whisper copters.
Or someone at HP is a moron.
Eagles may soar, but weasels don't get sucked into jet engines.
A quick login test on my MSA 2012i G3 doesn't work.
"Access denied"
more testing later.
J
Zip up. Your flag-waving nationalism is showing.
I write sci-fi for metalheads
I think Uncle Sam would have been a little more creative in choosing the backdoor password since it would have, in large part been USA companies rendered vulnerable. This indicates, I think, either a disgruntled worker who didn't care about picking a hard to find backdoor, or an agent for the foreign government of a country that does a lot of outsourcing who wanted anybody discovering the backdoor to think it was a disgruntled worker. Sometimes it's all about plausible deniability.
Laissez lire, et laissez danser; ces deux amusements ne feront jamais de mal au monde. - Voltaire
It's not a vulnerability it's a feature.
How d'you know it wasn't some Chinese firmware programmer?
Hail Eris, full of mischief...
E pluribus sanguinem
Uhhh....your Ameriphobia is showing. When all you do all day is think about how America is bad, then it's not surprising when you invent scenarios in which you are correct
U.S. Tries to Make It Easier to Wiretap the Internet
FBI drive for encryption backdoors is déjà vu for security experts
Yeah .. you're right .. its Ameriphobia when US companies are complying the gubmint
I am Slashdot. Are you Slashdot as well?
Mr. Potato Head! Mr Potato Head! Back doors are not secrets!
Dell Tape storage systems have the same thing. Running a tcpdump while the support rep is logging in should get it for you :-)
It amazes me how many Slashdot has, how quickly people here will believe some amazingly complex and willy explanation over a simple and obvious one. So what is the obvious one here? Simple: HP support. They want to be able to get in to the units to help their customers, and do shit like recover passwords (which customers will lose). So they add their special hardcoded maintenance account.
Seriously, going from this to "OMG government conspiracy," based on NO additional evidence means you are presupposing. You've decided on a conclusion (that the government requires everything to have a backdoor, which is 100% false) and are then making a massive illogical leap with no supporting evidence to that.
I can't believe this would have been done by anyone inside HP?
Read the Cisco vulnerability report: root control of the device...
Think where this teleconferencing suites are used: The Whitehouse, Pentagon, Central Command and every three star command...
Who might want to lurk on some reality TV?
"Knowing everything doesn't help..."
Mr. Potato Head, Mr. Potato Head ! Backdoors are NOT secrets !
The back sure looks extremely DotHill-ish, and not LSI or some other storage vendor's hardware.
Someone needs to start checking other DotHill arrays....
Because the Chinese would be smarter and subtler than that - unless they thought I'd think that about them, which proves it!
Naturally, this isn't a huge concern, because all companies using disk arrays of this type have admin access via a secure subnet that only IT staff have access to, via dedicated network ports and dedicated PCs, with no way for traffic to reach the arrays from the outside world.
Right?
Right?
Uh ... guys?
I first remember seeing this type of security described in the 80's movie, 'Wargames'.
Username: Julian
Password: Assange
Perhaps I didn't read close enough, but I didn't see anyone complying.
The FBI and NSA can ask for the moon, doesn't mean they are going to get it.
From reading your link perhaps you should have a case of Indiaphobia or United Arab Eremitesphobia.
There are other countries in this world with the pull to have back doors included, its not a u.s.a. specific issue.
Don't know something? Look it up. Still don't know? Then ask.
Its probably nothing like that. Some idiot on the service side of the house probably convinced some VP that a backdoor was needed so the support people could deal with customers who had lost the passwords or when they had to refurbish and RMA and wanted to be lazy and not have to replace any chips or flash the thing or whatever. That VP then made the software team add the backdoor. I think on the MSA15000 there is a check the make sure the password does not match the user name, which I might have run across when familiarizing myself with it with it prior to deployment. They developers probably wanted to make the password match the user name (its hidden after all) but also did not want to run into that test code somewhere even with the hard coded value.
That being said, admin was an aggressively stupid choice and hard coded back doors at least rank as very stupid to begin with.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Zip up. Your flag-waving nationalism is showing.
I love my country, salute my flag, and honor the soldiers who have fought to keep us safe. From foreigners. With uninteresting opinions. Who should butt out!
THAT is flag-waving nationalism. As it is generic, you may easily reuse it for your own nationalistic purposes, which I will, of course, ignore, because you are probably a foreigner. So butt out. :-)
Perhaps I didn't read close enough, but I didn't see anyone complying.
The FBI and NSA can ask for the moon, doesn't mean they are going to get it.
From reading your link perhaps you should have a case of Indiaphobia or United Arab Eremitesphobia.
There are other countries in this world with the pull to have back doors included, its not a u.s.a. specific issue.
Oh I agree this is not an American phenomenom, and it was really funny when people were getting all up in arms over the phone equipment supplied to Iran. And the case in Greece with the phone system was also a very very sophsicated backdoor hack that probably was (some) government related. But as to companies complying. Do you really think that part of a companies advertising campaign is "We support all government requested back doors!"
I am Slashdot. Are you Slashdot as well?
Actually, I'm an alien, an exile from Planet Transsexual.
I write sci-fi for metalheads
If someone disables the building's primary security system, defeats the lock on your front door, breaks in, when nobody's there, figures out where your MSA is, defeats your server room's dedicated primary alarm system, breaks through the steel fire door into your server room, defeating the ANSI GRADE 1 industrial access control locks, figures out the precise cage where your MSA2000 is located, defeats the cage locks, figures out the combination to open your cabinet, and somehow removes the faceplate without triggering the intrusion alarm, or motion detectors, noise sensors, and surveillance cameras attached to the server room's secondary security/environment monitoring system.
Then yes... there is a small chance someone might be able to insert a serial connector into your MSA to login as this GUI-unavailable backdoor user without the perp getting caught pretty quickly.
By the way, the 'password security' on many routers can be defeated by sending a BREAK via serial console during reboot, or by pushing a recessed RESET button. Where is the outrage?
Heh... No such thing as too much Tim Curry. Carry on.
These super secret access points are there so the maintenance guys can get access when they need it? Not in my shop. If vendor's maintenance people need access, I'll be the one to give it to them and I'll be the one to deny it if necessary. It's my equipment, my data, my computing facility and no one outside my organization is going to get into it without my permission. If I owned equipment which has undisclosed (to me) access points, I'm suing the manufacturer for as much money as I can possibly can get. Such actions by vendors/manufacturers are unconscionable.
Livingston (now Lucent) routers had a recovery mode where you physically had to flip a DIP switch and read a key to them.
If I remember correctly, this would get you one factory default wipe, so you could get back in and then restore the settings.
IMHO, this is the only type of solution that works, you need physical access, AND have to be willing to restore from backup.
If you don't see it adjust your threshold. I was replaying to a conspiracy theorist.
CISCO15
no joke.
or u + u
these problems are all over the place.
The NSA and GCHQ started this. They then talked to Nordic, German and French telco names to keep encryption low/weak tempest shielding or provide a back door.
Now all the units are from Asia and they have learned/designed/offered the same style of devices.
As OzPeter said, Costas Tsalikidis, the Greek telco whistleblower was found hanged.
Adamo Bove head of security at Telecom Italia who exposed the CIA renditions via cell phones ‘fell’ to his death.
Exposing the backdoors and longterm tracking can come at a price.
Thats why many regimes around the world will want to build their own Linux based telco systems. They know whats built in when a low import price is quoted.
Clandestine services the world over leak to the press/make statements - dont buy/roll out trust any new hardware until tested.
I hope now admin and telco people slowly wake up.
Domestic spying is now "Benign Information Gathering"
Password:spyspyspyspy
September 2011: Looking for Cocoa/iOS work in Boston area Cocoa Programmer Quincy, MA
That's silly.
My country deserves no unconditional love just because I happened to be born in it, the flag is just a picture, and the soldiers sometimes fight for a just cause, and sometimes for a completely senseless one. My country is not special. If it goes wrong, I try to set it right, and do the exact same thing with any other country I happen to be living in at the moment, if I have the ability.
Nothing deserves unconditional respect. Respect is earned through good deeds.
HP many years ago integraded with brocade switches. There was always an admin password to most HP device at the enterprise level: the cited storage array + fibre switch or tape library robot. However most only worked with physical access to either operator panel or serial port.
Now that IP has been for a few years the new serial port I predict many more devices in the future will have their firmware/management ports compromised. I think its SOP in large vendor enterprise to build such into your systems.
At some point you have to trust the guy inside the datacenter. What scares me is many Datacenter grade IP/KVMs, and other embedded devices are in now SMB and moving into the house.
To be honest its saved my bacon when the OP before me took the secret sauce passwords to Davy Jones locker.
It's interesting. HP is a US company with offices all over the world that outsources most of it's production to foreign labor.
Why you are limiting this to the US government is sort of interesting in that it could have been slipped in by about any worker in almost any country working for almost any outside interest. And because HP doesn't individually develop and install custom firmware for each and every product it produces, it's only obvious that once it gets in, it would be in all of them that have the same firmware/operating system. But here you are already speaking about how your hoping some conspiracy to steal secrets from political contributor's competitors as if there isn't any other motivation.
If you ask me, I would say it's simply a debug account that was supposed to be removed before final production and someone dropped the ball.
Damn, all I use mine for is backups...
America is all about speed. Hot, nasty, badass speed. -Eleanor Roosevelt, 1936
I don't think "the government requires everything to have a backdoor." I just think that if the FBI, or the NSA, or the CIA, or the U.S. Marshals, or the Department of Defense, or the Department of the Interior, or Homeland Security, or any one of any number of Byzantine U.S. government organizations approaches a large company like HP and says "Hey, we buy a bunch of stuff from you, do you mind if we have a backdoor?" I think in 90 percent of cases the answer will be "Sure, no problem." You don't need a conspiracy when the people will just grin and go along with whatever the government says.
Breakfast served all day!
why wouldn't a 'debug account' show up in a user display?
Disconnect the serial port, and then solder alternating pins to 120VAC and ground. Problem solved.
Assuming of course, you don't intend to use the serial port for anything legitimate.
Well, most appliance type devices (and in this day in age, enterprise class and mid-tier storage arrays are appliances) contain some kind of technician login, or tech support login for vendor support. When HP shows up onsite, and needs to apply a firmware update with full customer knowledge; this is the account they use.
Generally the account IS hidden, and the password is hard to guess.
USING THIS ACCOUNT DOES NOT GIVE ACCESS TO YOUR DATA. That would require physical access, or access to a storage network to make fiber channel or SAS connections, that is assuming that the controller is not one of the controllers that supports iscsi. If someone you do not trust has physical access to your disk array; and that access is not monitored (camera) then you have bigger issues to worry about.
If you are going to comment on field service accounts on storage arrays, please have some experience supporting storage arrays first so you know what the hell you are talking about.
EMC does the same thing. Pretty sure IBM does too.
Guess I should be more of a publicity whore and write articles about stuff that isn't news and is common knowledge in the IT sector once you get out of the "I went to ITT for my A+" crowd.
But as to companies complying. Do you really think that part of a companies advertising campaign is "We support all government requested back doors!"
Umm... yes, actually.
Something bad is coming when people are suddenly anxious to tell the truth.
And having the servers in the break room looked so cool!
> "A hardcoded .. hidden user exists that doesn't show up in the user manager, and the password cannot be changed..
Any idea how it got there?
Great now I'm going to have to change it. Our admin said that the password column was a "unique key" or something so I have to guess a lot of things before one sticks.