Hidden Backdoor Discovered On HP MSA2000 Arrays

wiredmikey writes "A hardcoded password-related security vulnerability has been discovered which apparently affects every HP MSA2000 G3, a modular large scale storage array. According to the alert, a hidden user exists that doesn't show up in the user manager, and the password cannot be changed, creating a perfect 'backdoor' opportunity for an attacker to gain access to potentially sensitive information stored on the device, as well as systems it is connected to."

Re:Ok so two things

[Saishuuheiki]

One would assume that you would hardcode it so if the user loses his password, he can call the company. And trust me, they WILL lose their password.

One would hope that the password is put somewhere that a firmware flash can change it however.

Re:Looks like a big "fuck you" to Uncle Sam.

[Anonymous+Psychopath]

Don't we hear every so often about how the US government wants backdoors into otherwise secure systems and crypto algorithms for "national security" or "law enforcement" purposes? I suspect that the MSA2000 was required to have a backdoor to appease Uncle Sam, and somebody at HP decided that if Uncle Sam wanted a backdoor, Uncle Sam could damn well have a goate.cx-esque backdoor.

Exactly! What happened was that they used this type of storage array to hold data on the 9/11 cover-up, and also to edit the footage of the "moon landing". Also the specs for their black surveillance whisper copters.

Or someone at HP is a moron.

Re:Wow...

[pixelpusher220]

On a serious note, with a user name of 'admin', would that prevent an actual user account being created with 'admin' as the name?

Wonder if that might be a new check to run on vendor systems to weed out the truly stupid 'features' like this one. Run a script to create frequently used admin accounts and see if any fail due to them already existing.