HP Confirms Backdoor In StoreOnce Backup Products

← Back to Stories (view on slashdot.org)

HP Confirms Backdoor In StoreOnce Backup Products

Posted by timothy on Wednesday June 26, 2013 @04:53AM from the top-men-are-on-it dept.

wiredmikey writes "Security response personnel at HP are 'actively working on a fix' for a potentially dangerous backdoor in older versions of its StoreOnce backup product line. The company's confirmation of what it describes as a 'potential security issue' follows the public disclosure that malicious hackers can use SSH access to perform full remote compromise of HP's StoreOnce backup systems. The SHA1 hash for the password was also published, putting pressure on HP to get a fix ready for affected customers. SecurityWeek has confirmed that it is relatively trivial to brute-force the hash to obtain the seven-character password. The HP StoreOnce product, previously known as HP D2D, provides disk backup and recovery to small- to midsize businesses, large enterprises, remote offices and cloud service providers."

45 comments

Min score:

Reason:

Sort:

hands of skills by mostadorthsander · 2013-06-26 04:57 · Score: 1

instead of talking over a telephone maybe a group of peoples may have to look through billions of lines of coding to really fix this issue outside the halodeck...
WTF, HP? by fuzzyfuzzyfungus · 2013-06-26 05:00 · Score: 5, Insightful

So, can anybody think of a not-totally-shameful reason why HP's vendor service backdoor didn't use SSH's keypair auth? Y'know, the one where obtaining the private key just by having access to the public key baked into every unit isn't dangerously trivial?
1. Re:WTF, HP? by Anonymous Coward · 2013-06-26 05:03 · Score: 0
  
  but... how else would the NSA gain access to your backups to ensure their integrity???
2. Re:WTF, HP? by Anonymous Coward · 2013-06-26 05:10 · Score: 1
  
  No.
  But I can think of several highly shameful reasons :-)
3. Re:WTF, HP? by Anonymous Coward · 2013-06-26 05:19 · Score: 1
  
  So, can anybody think of a not-totally-shameful reason why HP's vendor service backdoor didn't use SSH's keypair auth?
  <voice type="whiny">But that's haaaard! We don't waaaaaanna!</voice>
4. Re:WTF, HP? by Anonymous Coward · 2013-06-26 05:38 · Score: 0
  
  Because it's easier to give their call center reps a notepad document with this password in it than to train them what SSH is, and how to use SSH keys on whatever ghastly platform they use in call centers. Whatever it is, it can't be good, because I always get told "Please hold for a few minutes while I look this up, our systems are running slowly today."
This is still going on ? by ggraham412 · 2013-06-26 05:03 · Score: 1

When did the movie "War Games" come out?
And people are still putting back doors into stuff?
1. Re:This is still going on ? by Anonymous Coward · 2013-06-26 08:04 · Score: 1
  
  First, this is a product that should never, ever, ever be connected to a public network. The same goes for the SAN systems, some of the older ones of which also apparently had an undocumented default password. It's still sloppy and bad practice for that to be there, but any moron who connects a storage backup system like this to a public network and gets hacked deserves what they get, doing that would be beyond stupid to the point of actually being malicious. The same also goes for similar products from ANY vendor. They're not security hardened and have no business being outside of a very strict firewall that doesn't, under any circumstances, provide any external access to the management interface except perhaps by VPN.
  That lowers the risk significantly for basically all customers (who have a brain), not to zero, but if you're attackers are already running rampant on your backend, internal, private management networks there are countless other attack vectors for all of your data and this one would at least in the middle of the list, if not below.
rainbow tables by Anonymous Coward · 2013-06-26 05:07 · Score: 1

with rainbow tables and no salt it's almost the same as releasing the plaintext: badg3r5
1. Re:rainbow tables by ArcadeMan · 2013-06-26 05:37 · Score: 1
  
  badg3r5?
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
2. Re:rainbow tables by Anonymous Coward · 2013-06-26 06:53 · Score: 0
  
  You gave the mobile link, the desktop link is http://youtube.com/watch?v=gx6TBrfCW54&desktop_uri=%2Fwatch%3Fv%3Dgx6TBrfCW54
3. Re:rainbow tables by ArcadeMan · 2013-06-26 07:39 · Score: 1
  
  And the desktop link requires Flash, which is why I linked to the mobile version.
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
4. Re:rainbow tables by fnj · 2013-06-26 09:07 · Score: 1
  
  On the other hand, the Flash version actually WORKS on my system. The mobile one does not.
5. Re:rainbow tables by ArcadeMan · 2013-06-26 12:25 · Score: 1
  
  On the other hand, the Flash version doesn't work on mine but the mobile one does.
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
6. Re:rainbow tables by fnj · 2013-06-27 04:09 · Score: 1
  
  The difference is, your system is stupid!! :-) Relax, I'm only kidding. There needs to be a standard that works on BOTH our systems.
That's not a backdoor, by BLToday · 2013-06-26 05:16 · Score: 5, Insightful

That's the main entrance for the NSA.
1. Re:That's not a backdoor, by Anonymous Coward · 2013-06-26 05:27 · Score: 0
  
  No, I'm sorry, it's not. They're better than you can possibly imagine at this game. These are the people who invent cryptographic techniques.
2. Re:That's not a backdoor, by Anonymous Coward · 2013-06-26 05:31 · Score: 0
  
  Yeah. The thing to remember is that the NSA is as interested in protecting US interests from other countrys' attacks as they are in being able to maintan surveillance and stuff like that. A seven character password? That's not the NSA.
3. Re:That's not a backdoor, by tqk · 2013-06-26 06:41 · Score: 1
  
  Yeah. The thing to remember is that the NSA is as interested in protecting US interests ...
  Yeah (*cough*Edward Snowden*cough*), right.
  
  --
  "Tongue tied and twisted, just an Earth bound misfit ..." -- Pink Floyd.
4. Re:That's not a backdoor, by lightknight · 2013-06-26 10:04 · Score: 1
  
  As do many programmers, usually when they're in the bath tub, just for fun. Now, whether those techniques stand up to the scrutiny of a major dedicated code-breaker is a different discussion.
  
  --
  I am John Hurt.
badg3r5 by TheNinjaroach · 2013-06-26 05:17 · Score: 5, Informative

Google quickly lead me to the SHA1 of 78a7ecf065324604540ad3c41c3bb8fe1d084c50 and to a publicly available SHA1 reverse lookup utility that already has the match in it.

--
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
1. Re:badg3r5 by citizenr · 2013-06-26 05:32 · Score: 4, Insightful
  
  Go badg3r5!
  
  --
  Who logs in to gdm? Not I, said the duck.
2. Re:badg3r5 by Anonymous Coward · 2013-06-26 05:35 · Score: 5, Funny
  
  I guess the HP patch, upgrades the string to f3bbbd66a63d4bf1747940578ec3d0103530e21d.
3. Re:badg3r5 by Anonymous Coward · 2013-06-26 07:16 · Score: 0
  
  Dude, it's 5919b58eec0aa7cd1e3cc7df5cf0c1b9f77473ad.
  Or maybe af7de050cd5fd4b0afc30a9cd61f3ac8b8c704c5.
4. Re:badg3r5 by oPless · 2013-06-26 07:17 · Score: 1
  
  Mod parent up.
  I almost wet myself. ******* indeed!
StoreOnce... is that the same as write-only? by swschrad · 2013-06-26 05:18 · Score: 1

I had a set of backups like that once. that's why I dumped NT 3.5

--
if this is supposed to be a new economy, how come they still want my old fashioned money?
1. Re:StoreOnce... is that the same as write-only? by stewsters · 2013-06-26 05:48 · Score: 1
  
  I have a massive write only drive that I would be willing to sell you room on.
  yourBackupFiles.tar.gz > /dev/null
2. Re:StoreOnce... is that the same as write-only? by Anonymous Coward · 2013-06-26 06:13 · Score: 0
  
  no it is WORM. the device is cheap but they get you on buying new media...
HP is on a Low Sodium Diet by TechyImmigrant · 2013-06-26 05:33 · Score: 3, Funny

>SecurityWeek has confirmed that it is relatively trivial to brute-force the hash to obtain the seven-character password.
HP is on a low sodium diet, they didn't add salt.

--
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
1. Re:HP is on a Low Sodium Diet by Baloroth · 2013-06-26 05:47 · Score: 1
  
  A salt does not increase security when cracking only a single password. They help with large sets of passwords, but brute forcing a single password takes the same time whether it is salted or not.
  
  --
  "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
2. Re:HP is on a Low Sodium Diet by Anonymous Coward · 2013-06-26 05:55 · Score: 2, Informative
  
  As pointed out in other comments, the reverse lookup (i.e. rainbow table) is readily available for unsalted hashes.
  You make the mistake that to get a password requires brute force. People aren't stupid, they use the fastest tools available first. If google can tell you the password by simply entering the hash, then yes, it is LESS SECURE then one that is not readily available and REQUIRES brute force
3. Re:HP is on a Low Sodium Diet by TechyImmigrant · 2013-06-26 07:15 · Score: 1
  
  Indeed. Properly salted, the brute force cost would be O(2^80). With rainbow tables, assuming your target is in your table dictionary, the cost is much much less.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Re:FLOSS by Anonymous Coward · 2013-06-26 05:36 · Score: 0

http://dealnews.com/c72/Computers/Peripherals/Input-Devices/Keyboards/
you need a new one
HP by Anonymous Coward · 2013-06-26 05:43 · Score: 5, Funny

The best part of clicking on the link to TFA was the pop-over advertisement from HP that said "How secure is your code?"
Way to go HP!
At least its not an undocumented default account. by Anonymous Coward · 2013-06-26 05:49 · Score: 1

Some of the latest versions of HP P2000 SAN's have a built in service account enabed by default reachable through telnet/SSH that is totally hidden from the management GUI of the device.
https://www.krystalmods.com/index.php?title=hp-msa-g3-array-hidden-admin-user&more=1&c=1&tb=1&pb=1
HP eventually released an advisory about it suggesting you change the password.
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02662287
You keep using that word... by Anonymous Coward · 2013-06-26 06:01 · Score: 0

'potential' security issue
I do not think it means what you think it means.
1. Re:You keep using that word... by lightknight · 2013-06-26 10:09 · Score: 1
  
  Lol. To a businessman's ears, it means "no" security issue; to a network admin's ears, it means "they're already in your database, copying your tables, and leaving lewd comments about your tastes in desktop managers."
  
  --
  I am John Hurt.
badg3r5 badg3r5 badg3r5 badg3r5 by Anonymous Coward · 2013-06-26 06:06 · Score: 0

MU5HR00M MU5HR00M
Second reason not to use this product by Karl+Cocknozzle · 2013-06-26 06:44 · Score: 1

The first is that it costs more than a king's ransom to buy and isn't that great when you do. So I guess that's three. Sorry.

--
Who did what now?
a bit offtopic, but.. by excelsior_gr · 2013-06-26 08:19 · Score: 1

it's sad to watch HP fall into ruins, but it seems that me that everything they touch turns into coal instead of gold. They used to build decent hardware. My brother owns an HP handheld from the time before the smartphone craze that had a stylus, Windows mobile (from the era when it actually used to work), a *shitload* of software and GPS. They acquired Compaq and the laptop I bought from them back in 2004 was built to last. Then they phased out all the Compaq products and the laptops they have been marketing since are all crap IMHO. They also killed the Compaq Fortran Compiler with the promise to launch a modernized version for some serious number-crunching on HP-servers that never materialized. When they bought Palm I was looking forward to my new phone that I would buy from them, but all that came out was the half-assed HP Pre 3 and then they dumped that too. WebOS died a shameful death. At home have a long lineage of HP printers and scanners that go back to the Deskjet 1120C from the 90ies that is a parallel port inkjet A3 printer that may still be functional if I tried to revive it. I uses ink cartridges that are the size of my fist and don't dry easily. Shortly after that all they made was give-away printers and all-in-ones that capitalized on the high price of their fart-sized cartridges. Then they stated that they want to offer cloud services, which obviously left me out as their intended audience, but I still kept an eye on them.
And now this story...
Farewell HP, it was good while it lasted.
A satisfied customer.
2nd HP fail by MaxDollarCash · 2013-06-26 09:21 · Score: 1

HP dataprotector was also on bugtraq a few weeks back with the software containing a "hardcoded" password... HP is security fail!
CALEA II? by Anonymous Coward · 2013-06-26 15:45 · Score: 0

Maybe you've forgotten, but the NSA/CIA/FBI has been pushing for CALEA II which is *exactly* this. Backdoors into everything.
Since HP is a major vendor to the NSA I can well believe they put it in with prompting from the NSA (maybe one of these super-secret warrants from the kangaroo court). But if they did you'd expect to see similar back doors in their other storage products.... erm like this one for example:
http://www.securityweek.com/backdoor-vulnerability-discovered-hp-msa2000-storage-systems
Yep, seems to be an ongoing theme with HP, backdoor passwords onto their storage products.
Salt doesn't fix the backdoor by Anonymous Coward · 2013-06-26 16:36 · Score: 0

It slows the hack of the password, there is still a backdoor the NSA can access.