Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hidden Backdoor Discovered On HP MSA2000 Arrays

Posted by CmdrTaco on from the i'm-your-backdoor-man dept.

wiredmikey writes "A hardcoded password-related security vulnerability has been discovered which apparently affects every HP MSA2000 G3, a modular large scale storage array. According to the alert, a hidden user exists that doesn't show up in the user manager, and the password cannot be changed, creating a perfect 'backdoor' opportunity for an attacker to gain access to potentially sensitive information stored on the device, as well as systems it is connected to."

14 of 197 comments (clear)

  1. Wow... by Ethanol-fueled · · Score: 5, Funny

    The hard coded user and password in the HP MSA2000 is set to: username: admin

    password: !admin

    WaHAHAHAHAH! Not even "n9xe2uPAthe9" or even "Mr.Snuffles". And it is exactly the same as the very generic username, except for one extra character. It's almost as bad(or perhaps even worse) then using "123456" or even "password."

    This further proves that "faith based security" - relying on vendors to provide systems with built-in robust security- is not a good practice.

    Well...nah, I won't even go there. Too easy. I'm trying to be a good boy. Would somebody like to post a sysadmin's prayer for us?

    1. Re:Wow... by mrsteveman1 · · Score: 4, Funny

      Yes but you've now seen the ! so it's NOT admin, we'll have to keep looking.

      Those HP guys are clever.

    2. Re:Wow... by beanpoppa · · Score: 5, Funny

      Steve-"Hey, Frank! What should I make the password for our backdoor admin account?" Frank-"Definitely NOT admin!" Steve-"Ok."

    3. Re:Wow... by pixelpusher220 · · Score: 4, Interesting

      On a serious note, with a user name of 'admin', would that prevent an actual user account being created with 'admin' as the name?

      Wonder if that might be a new check to run on vendor systems to weed out the truly stupid 'features' like this one. Run a script to create frequently used admin accounts and see if any fail due to them already existing.

      --
      People in cars cause accidents....accidents in cars cause people :-D
  2. And the password is..... by drsmack1 · · Score: 4, Funny

    cntraltdelete

    If that is too long to type, you can use the shortcut keys on your keyboard. This HP thing goes deep. . . .

    --

    Humor from a Genetically Molested Mind

  3. Re:Ok so two things by Saishuuheiki · · Score: 4, Interesting

    One would assume that you would hardcode it so if the user loses his password, he can call the company. And trust me, they WILL lose their password.

    One would hope that the password is put somewhere that a firmware flash can change it however.

  4. Re:Looks like a big "fuck you" to Uncle Sam. by Anonymous+Psychopath · · Score: 5, Interesting

    Don't we hear every so often about how the US government wants backdoors into otherwise secure systems and crypto algorithms for "national security" or "law enforcement" purposes? I suspect that the MSA2000 was required to have a backdoor to appease Uncle Sam, and somebody at HP decided that if Uncle Sam wanted a backdoor, Uncle Sam could damn well have a goate.cx-esque backdoor.

    Exactly! What happened was that they used this type of storage array to hold data on the 9/11 cover-up, and also to edit the footage of the "moon landing". Also the specs for their black surveillance whisper copters.

    Or someone at HP is a moron.

    --

    Eagles may soar, but weasels don't get sucked into jet engines.

  5. Not working here by jonathanhowell · · Score: 5, Informative

    A quick login test on my MSA 2012i G3 doesn't work.

    "Access denied"

    more testing later.
    J

    1. Re:Not working here by jgtg32a · · Score: 5, Informative

      On the article some guy said it is only accessible through the serial port.

    2. Re:Not working here by MozeeToby · · Score: 4, Insightful

      On the article some guy said it is only accessible through the serial port.

      Which kind of changes the whole tone in my opinion. I'm of the persuasion that if a black hat has physical access to your hardware, you've already lost. It's still shockingly bad practice from a vendor, but if this is true it goes from a serious issue to a moderate one.

    3. Re:Not working here by Necron69 · · Score: 5, Informative

      The array they mean is really the MSA P2000 G3, which is a new 8Gb/s fibre channel array. Note that the array is OEM'd from Dot Hill.

      I tried the 'exploit' on my array. Yes, I can log in with admin/!admin, and no, the admin account does not show up in the GUI listing. BTW, the "admin/!admin" combo was the default login on previous versions of this array, but for this version, the default account was changed to "manage". I'd guess this is a coding error, not some deliberate backdoor.

      The article is wrong that the password cannot be changed. You can change it just fine from the CLI:

      HP StorageWorks MSA Storage P2000 G3 FC
      System Name: MSA_P2000_1
      System Location:XXXXXXXXX
      Version:L100R013

      # set password admin
      Enter new password: ****
      Re-enter new password: ****
      Success: Command completed successfully. (admin) - The password was changed.

      Verified that login is no longer possible via web GUI or SSH. Problem solved.

      - Necron69

  6. Re:Ok so two things by sqlrob · · Score: 4, Insightful

    That doesn't need a single hardcoded password. Generate one based on the serial number of the device. Recoverable, and a heck of a lot more secure than a single password for everybody.

  7. Sigh. Consparicy theorists by Sycraft-fu · · Score: 4, Insightful

    It amazes me how many Slashdot has, how quickly people here will believe some amazingly complex and willy explanation over a simple and obvious one. So what is the obvious one here? Simple: HP support. They want to be able to get in to the units to help their customers, and do shit like recover passwords (which customers will lose). So they add their special hardcoded maintenance account.

    Seriously, going from this to "OMG government conspiracy," based on NO additional evidence means you are presupposing. You've decided on a conclusion (that the government requires everything to have a backdoor, which is 100% false) and are then making a massive illogical leap with no supporting evidence to that.

  8. FEAR by mysidia · · Score: 5, Insightful

    If someone disables the building's primary security system, defeats the lock on your front door, breaks in, when nobody's there, figures out where your MSA is, defeats your server room's dedicated primary alarm system, breaks through the steel fire door into your server room, defeating the ANSI GRADE 1 industrial access control locks, figures out the precise cage where your MSA2000 is located, defeats the cage locks, figures out the combination to open your cabinet, and somehow removes the faceplate without triggering the intrusion alarm, or motion detectors, noise sensors, and surveillance cameras attached to the server room's secondary security/environment monitoring system.

    Then yes... there is a small chance someone might be able to insert a serial connector into your MSA to login as this GUI-unavailable backdoor user without the perp getting caught pretty quickly.

    By the way, the 'password security' on many routers can be defeated by sending a BREAK via serial console during reboot, or by pushing a recessed RESET button. Where is the outrage?