Slashdot Mirror
Hidden Backdoor Discovered On HP MSA2000 Arrays
wiredmikey writes "A hardcoded password-related security vulnerability has been discovered which apparently affects every HP MSA2000 G3, a modular large scale storage array. According to the alert, a hidden user exists that doesn't show up in the user manager, and the password cannot be changed, creating a perfect 'backdoor' opportunity for an attacker to gain access to potentially sensitive information stored on the device, as well as systems it is connected to."
The hard coded user and password in the HP MSA2000 is set to: username: admin
password: !admin
WaHAHAHAHAH! Not even "n9xe2uPAthe9" or even "Mr.Snuffles". And it is exactly the same as the very generic username, except for one extra character. It's almost as bad(or perhaps even worse) then using "123456" or even "password."
This further proves that "faith based security" - relying on vendors to provide systems with built-in robust security- is not a good practice.
Well...nah, I won't even go there. Too easy. I'm trying to be a good boy. Would somebody like to post a sysadmin's prayer for us?
cntraltdelete
If that is too long to type, you can use the shortcut keys on your keyboard. This HP thing goes deep. . . .
Humor from a Genetically Molested Mind
How about a nice game of chess?
One would assume that you would hardcode it so if the user loses his password, he can call the company. And trust me, they WILL lose their password.
One would hope that the password is put somewhere that a firmware flash can change it however.
Whenever you type '!admin' all I see is '******'. Whereas, if I type 'hunter2', all you see is '*******'.
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
Your point about relying on vendors is a superb one. Here's another data point to be concerned with.
A lot of startups, and not-so-small companies, source their boxes from Asian manufacturers. This is generally known, and not a surprise. What may be a surprise is that not even the vendor who turns it into an server type of product is authorized to open the box. If they do, the warranty is voided. The top end boxes will go for +$15K a pop, so you can darn well be certain that the vendor doesn't open the system.
This is a superb opportunity for Chinese manufacturers to put in a back door to an embedded server product. I can think of a half dozen vendors, who's names everyone recognizes, which do this.
Good luck on securing that.
The MSA70 is just a disk-shelf, and is connected to the host via. SAS: there is no way to connect an MSA70/50/30 to an IP network.
While we're at it, you'd really have to go out of your way to expose something like an MSA2000 to the wider internet, as you'd have to be stupid enough to be running your storage network on a routable range with external routing from your edge. Basically, you'd have to a giant fuckwit.
Don't we hear every so often about how the US government wants backdoors into otherwise secure systems and crypto algorithms for "national security" or "law enforcement" purposes? I suspect that the MSA2000 was required to have a backdoor to appease Uncle Sam, and somebody at HP decided that if Uncle Sam wanted a backdoor, Uncle Sam could damn well have a goate.cx-esque backdoor.
Exactly! What happened was that they used this type of storage array to hold data on the 9/11 cover-up, and also to edit the footage of the "moon landing". Also the specs for their black surveillance whisper copters.
Or someone at HP is a moron.
Eagles may soar, but weasels don't get sucked into jet engines.
A quick login test on my MSA 2012i G3 doesn't work.
"Access denied"
more testing later.
J
Just how many of these systems are out there, in which areas of the private & public sectors?
Lots and most of them. MSA2000 are common. HP been selling them for years. Although it has been superseded by newer models the channel still has a large supply. Pretty good hardware for the money.
Lurking at the bottom of the gravity well, getting old
That doesn't need a single hardcoded password. Generate one based on the serial number of the device. Recoverable, and a heck of a lot more secure than a single password for everybody.
It amazes me how many Slashdot has, how quickly people here will believe some amazingly complex and willy explanation over a simple and obvious one. So what is the obvious one here? Simple: HP support. They want to be able to get in to the units to help their customers, and do shit like recover passwords (which customers will lose). So they add their special hardcoded maintenance account.
Seriously, going from this to "OMG government conspiracy," based on NO additional evidence means you are presupposing. You've decided on a conclusion (that the government requires everything to have a backdoor, which is 100% false) and are then making a massive illogical leap with no supporting evidence to that.
They probably put a hardcoded u/n & p/w into the system early in development to ensure that their login security system worked, then implemented configurable logins, forgetting to remove the hardcoded one.
When I code something that is meant to be configurable, I first hardcode some values to ensure that the code works, then I code a configurable text-file based system, like ini or properties files. Finally, I move on to implementing the desired configuration method, such as LDAP, SQL, or HTTP GET. Anything sensitive is encrypted, of course. I have always remembered to remove the hardcoded values, but I've seen colleagues forget to do the same.
Perhaps I didn't read close enough, but I didn't see anyone complying.
The FBI and NSA can ask for the moon, doesn't mean they are going to get it.
From reading your link perhaps you should have a case of Indiaphobia or United Arab Eremitesphobia.
There are other countries in this world with the pull to have back doors included, its not a u.s.a. specific issue.
Don't know something? Look it up. Still don't know? Then ask.
Its probably nothing like that. Some idiot on the service side of the house probably convinced some VP that a backdoor was needed so the support people could deal with customers who had lost the passwords or when they had to refurbish and RMA and wanted to be lazy and not have to replace any chips or flash the thing or whatever. That VP then made the software team add the backdoor. I think on the MSA15000 there is a check the make sure the password does not match the user name, which I might have run across when familiarizing myself with it with it prior to deployment. They developers probably wanted to make the password match the user name (its hidden after all) but also did not want to run into that test code somewhere even with the hard coded value.
That being said, admin was an aggressively stupid choice and hard coded back doors at least rank as very stupid to begin with.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
If someone disables the building's primary security system, defeats the lock on your front door, breaks in, when nobody's there, figures out where your MSA is, defeats your server room's dedicated primary alarm system, breaks through the steel fire door into your server room, defeating the ANSI GRADE 1 industrial access control locks, figures out the precise cage where your MSA2000 is located, defeats the cage locks, figures out the combination to open your cabinet, and somehow removes the faceplate without triggering the intrusion alarm, or motion detectors, noise sensors, and surveillance cameras attached to the server room's secondary security/environment monitoring system.
Then yes... there is a small chance someone might be able to insert a serial connector into your MSA to login as this GUI-unavailable backdoor user without the perp getting caught pretty quickly.
By the way, the 'password security' on many routers can be defeated by sending a BREAK via serial console during reboot, or by pushing a recessed RESET button. Where is the outrage?