Hidden Backdoor Discovered On HP MSA2000 Arrays

wiredmikey writes "A hardcoded password-related security vulnerability has been discovered which apparently affects every HP MSA2000 G3, a modular large scale storage array. According to the alert, a hidden user exists that doesn't show up in the user manager, and the password cannot be changed, creating a perfect 'backdoor' opportunity for an attacker to gain access to potentially sensitive information stored on the device, as well as systems it is connected to."

Wow...

[Ethanol-fueled]

The hard coded user and password in the HP MSA2000 is set to: username: admin

password: !admin

WaHAHAHAHAH! Not even "n9xe2uPAthe9" or even "Mr.Snuffles". And it is exactly the same as the very generic username, except for one extra character. It's almost as bad(or perhaps even worse) then using "123456" or even "password."

This further proves that "faith based security" - relying on vendors to provide systems with built-in robust security- is not a good practice.

Well...nah, I won't even go there. Too easy. I'm trying to be a good boy. Would somebody like to post a sysadmin's prayer for us?

Re:Wow...

[mrsteveman1]

Yes but you've now seen the ! so it's NOT admin, we'll have to keep looking.

Those HP guys are clever.

Re:Wow...

[beanpoppa]

Steve-"Hey, Frank! What should I make the password for our backdoor admin account?" Frank-"Definitely NOT admin!" Steve-"Ok."

And the password is.....

[drsmack1]

cntraltdelete

If that is too long to type, you can use the shortcut keys on your keyboard. This HP thing goes deep. . . .

Hello Joshua ...

[tgd]

How about a nice game of chess?

That's funny, because

[seebs]

Whenever you type '!admin' all I see is '******'. Whereas, if I type 'hunter2', all you see is '*******'.