Hidden Backdoor Discovered On HP MSA2000 Arrays

wiredmikey writes "A hardcoded password-related security vulnerability has been discovered which apparently affects every HP MSA2000 G3, a modular large scale storage array. According to the alert, a hidden user exists that doesn't show up in the user manager, and the password cannot be changed, creating a perfect 'backdoor' opportunity for an attacker to gain access to potentially sensitive information stored on the device, as well as systems it is connected to."

Not working here

[jonathanhowell]

A quick login test on my MSA 2012i G3 doesn't work.

"Access denied"

more testing later.
J

Re:Not working here

[jgtg32a]

On the article some guy said it is only accessible through the serial port.

Re:Not working here

[Necron69]

The array they mean is really the MSA P2000 G3, which is a new 8Gb/s fibre channel array. Note that the array is OEM'd from Dot Hill.

I tried the 'exploit' on my array. Yes, I can log in with admin/!admin, and no, the admin account does not show up in the GUI listing. BTW, the "admin/!admin" combo was the default login on previous versions of this array, but for this version, the default account was changed to "manage". I'd guess this is a coding error, not some deliberate backdoor.

The article is wrong that the password cannot be changed. You can change it just fine from the CLI:

HP StorageWorks MSA Storage P2000 G3 FC
System Name: MSA_P2000_1
System Location:XXXXXXXXX
Version:L100R013

# set password admin
Enter new password: ****
Re-enter new password: ****
Success: Command completed successfully. (admin) - The password was changed.

Verified that login is no longer possible via web GUI or SSH. Problem solved.

- Necron69