14 DAY TRIAL // A security researcher has uncovered a backdoor vulnerability in HP’s StoreOnce 4210 Backup appliance. Apparently, a hidden administrative account can be easily accessed via an SSH client by using the “HPSupport” username and a preset password.
According to Heise, the researcher who identified the vulnerability has published the SHA1 hash of the password. The expert is unhappy with the fact that HP has been “wasting his time” for the past three weeks instead of addressing the issue.
The SHA1 hash published by the security expert is not very difficult to crack, so the hidden administrator account in StoreOnce is as good as compromised.
The researcher highlights that HP faced a similar problem back in 2010 when a backdoor was discovered in the network storage solution StorageWorks P2000 G3.
In that particular case, users could change their passwords. This time, however, it’s uncertain if the preset password can be modified.
Update. HP has published an advisory to detail the impact of the vulnerability. The company says that devices running software version 3.0.0 or newer are not impacted. For affected systems, a patch will be made available on July 7.