Hidden Backdoor Discovered On HP MSA2000 Arrays

wiredmikey writes "A hardcoded password-related security vulnerability has been discovered which apparently affects every HP MSA2000 G3, a modular large scale storage array. According to the alert, a hidden user exists that doesn't show up in the user manager, and the password cannot be changed, creating a perfect 'backdoor' opportunity for an attacker to gain access to potentially sensitive information stored on the device, as well as systems it is connected to."

Re:Ok so two things

[sqlrob]

That doesn't need a single hardcoded password. Generate one based on the serial number of the device. Recoverable, and a heck of a lot more secure than a single password for everybody.

Sigh. Consparicy theorists

[Sycraft-fu]

It amazes me how many Slashdot has, how quickly people here will believe some amazingly complex and willy explanation over a simple and obvious one. So what is the obvious one here? Simple: HP support. They want to be able to get in to the units to help their customers, and do shit like recover passwords (which customers will lose). So they add their special hardcoded maintenance account.

Seriously, going from this to "OMG government conspiracy," based on NO additional evidence means you are presupposing. You've decided on a conclusion (that the government requires everything to have a backdoor, which is 100% false) and are then making a massive illogical leap with no supporting evidence to that.

Re:Sigh. Consparicy theorists

[DarkOx]

OK but an MSA2000 is NOT a toy. It might not be the first class SAN solution for large caps but they certainly power lots of medium business with billion dollar a year bottom revenue lines. Those companies are big enough to care about security and big enough to employ at least one competent systems administrator even if they will then force him to use some second rate monkeys for help. That person one should NOT be forgetting the password, what if something happens to him? Well they way I did it is I wrote that stuff down. The sensitive passwords were kept in a safe deposit box on CD-ROM inside an AES encrypted zip file at the bank the CEO had the other key and knew the password to the zip as well. $25 dollars a year is a small investment to ensure that one of us will be able to obtain that information if needed. Anyone buying an MSA2000 can afford that and come up with a similar suitable arrangement.

If HP *needs* a backdoor for serving the units its 2010 they really should have some alternate log in method, perhaps a serial header on the controller system board or something so that you would have to give them physical access or an attacker would have to gain physical access and the credentials should be a certificate file so their will be no guessing the 4Kb password.

Re:Ok so two things

[zero_out]

They probably put a hardcoded u/n & p/w into the system early in development to ensure that their login security system worked, then implemented configurable logins, forgetting to remove the hardcoded one.

When I code something that is meant to be configurable, I first hardcode some values to ensure that the code works, then I code a configurable text-file based system, like ini or properties files. Finally, I move on to implementing the desired configuration method, such as LDAP, SQL, or HTTP GET. Anything sensitive is encrypted, of course. I have always remembered to remove the hardcoded values, but I've seen colleagues forget to do the same.

Re:Looks like a big "fuck you" to Uncle Sam.

[Jeng]

Perhaps I didn't read close enough, but I didn't see anyone complying.

The FBI and NSA can ask for the moon, doesn't mean they are going to get it.

From reading your link perhaps you should have a case of Indiaphobia or United Arab Eremitesphobia.

There are other countries in this world with the pull to have back doors included, its not a u.s.a. specific issue.

Re:Not working here

[MozeeToby]

On the article some guy said it is only accessible through the serial port.

Which kind of changes the whole tone in my opinion. I'm of the persuasion that if a black hat has physical access to your hardware, you've already lost. It's still shockingly bad practice from a vendor, but if this is true it goes from a serious issue to a moderate one.

FEAR

[mysidia]

If someone disables the building's primary security system, defeats the lock on your front door, breaks in, when nobody's there, figures out where your MSA is, defeats your server room's dedicated primary alarm system, breaks through the steel fire door into your server room, defeating the ANSI GRADE 1 industrial access control locks, figures out the precise cage where your MSA2000 is located, defeats the cage locks, figures out the combination to open your cabinet, and somehow removes the faceplate without triggering the intrusion alarm, or motion detectors, noise sensors, and surveillance cameras attached to the server room's secondary security/environment monitoring system.

Then yes... there is a small chance someone might be able to insert a serial connector into your MSA to login as this GUI-unavailable backdoor user without the perp getting caught pretty quickly.

By the way, the 'password security' on many routers can be defeated by sending a BREAK via serial console during reboot, or by pushing a recessed RESET button. Where is the outrage?

Re:Wow...

Would somebody like to post a sysadmin's prayer for us?

Our Router, which art in IOS
hallowed be thy interface
thy packets come
thy routing be done
on the LAN as it is on the Web.
Give us this day our daily Clues
And forgive us our LARTings
As we LART those who make stupid service requests
And lead us not into Windows support
but deliver us from lusers
For thine is the Network
The Bandwidth and the Packet
For the duration of the DHCP lease.
Amen