Hidden Backdoor Discovered On HP MSA2000 Arrays

wiredmikey writes "A hardcoded password-related security vulnerability has been discovered which apparently affects every HP MSA2000 G3, a modular large scale storage array. According to the alert, a hidden user exists that doesn't show up in the user manager, and the password cannot be changed, creating a perfect 'backdoor' opportunity for an attacker to gain access to potentially sensitive information stored on the device, as well as systems it is connected to."

Re:Almost Kernel.org

The MSA70 is just a disk-shelf, and is connected to the host via. SAS: there is no way to connect an MSA70/50/30 to an IP network.

While we're at it, you'd really have to go out of your way to expose something like an MSA2000 to the wider internet, as you'd have to be stupid enough to be running your storage network on a routable range with external routing from your edge. Basically, you'd have to a giant fuckwit.

Not working here

[jonathanhowell]

A quick login test on my MSA 2012i G3 doesn't work.

"Access denied"

more testing later.
J

Re:Not working here

[jgtg32a]

On the article some guy said it is only accessible through the serial port.

Re:Not working here

[Necron69]

The array they mean is really the MSA P2000 G3, which is a new 8Gb/s fibre channel array. Note that the array is OEM'd from Dot Hill.

I tried the 'exploit' on my array. Yes, I can log in with admin/!admin, and no, the admin account does not show up in the GUI listing. BTW, the "admin/!admin" combo was the default login on previous versions of this array, but for this version, the default account was changed to "manage". I'd guess this is a coding error, not some deliberate backdoor.

The article is wrong that the password cannot be changed. You can change it just fine from the CLI:

HP StorageWorks MSA Storage P2000 G3 FC
System Name: MSA_P2000_1
System Location:XXXXXXXXX
Version:L100R013

# set password admin
Enter new password: ****
Re-enter new password: ****
Success: Command completed successfully. (admin) - The password was changed.

Verified that login is no longer possible via web GUI or SSH. Problem solved.

- Necron69

Re:Ok so two things

[TopSpin]

Just how many of these systems are out there, in which areas of the private & public sectors?

Lots and most of them. MSA2000 are common. HP been selling them for years. Although it has been superseded by newer models the channel still has a large supply. Pretty good hardware for the money.

Re:Looks like a big "fuck you" to Uncle Sam.

[OzPeter]

Uhhh....your Ameriphobia is showing. When all you do all day is think about how America is bad, then it's not surprising when you invent scenarios in which you are correct

U.S. Tries to Make It Easier to Wiretap the Internet

FBI drive for encryption backdoors is déjà vu for security experts

Yeah .. you're right .. its Ameriphobia when US companies are complying the gubmint

Re:Sigh. Consparicy theorists

[OzPeter]

Seriously, going from this to "OMG government conspiracy," based on NO additional evidence means you are presupposing.

And you have totally fallen for it. The gubmint is one step ahead of you already by using psychology to defeat your common sense. They selected the account/passsword to masquerade as an HP support account, knowing that if it was found out that people like you (or should I say gubmint shills????????) would try and convince the rest of us that it was all an innocent mistake!

Try and refute *that* Mr G-Man!