Hewlett-Packard on Wednesday said it has found a potential security issue in the software of its enterprise-class StoreOnce deduplication appliances.
HP said the security risk does not impact its latest HP StoreOnce deduplication appliances, and that a patch will be made available shortly for older models affected by the problem.
The potential storage security risk appears to have been brought to the attention of HP by a blogger who goes by the name "Technion."
Technion wrote that he discovered a backdoor into the StoreOnce software. Someone could key in the IP address of an HP StoreOnce appliance, key in "HPSupport" as the username, and input the password, which can be determined from a specific password hash.
The result? "Say hello to an administrative account you didn't know existed," he wrote.
Technion wrote that he tried contacting HP for "weeks," but received no response from the vendor.
"HP are working on their 'close your eyes and it might go away' approach," he wrote.
Vulnerabilities can happen to everyone, Technion wrote. "Anyone can have any number of issues. Secret root accounts is not one of them. There's no excuse for hating your users this much," he wrote.
When contacted by CRN, HP responded with a statement and a security bulletin.
The statement, attributed to an HP spokesperson, read, "HP identified a potential security issue with older HP StoreOnce models. This does not affect StoreOnce systems with the current version 3.0 software, including the HP StoreOnce B6200 and HP StoreOnce VSA product offerings. HP takes security issues very seriously and is working actively on a fix."
The statement also included a link to an HP security bulletin that said HP has identified a "potential security vulnerability" in the HP StoreOnce D2D (disk-to-disk) backup system.
"The vulnerability could be exploited remotely resulting in unauthorized access and modification. ... A user who is logged in via the HPSupport user account does not have access to the data that has been backed up to the HP StoreOnce Backup system, and hence is not able to read or download the backed up data. However, it is possible to reset the device to factory defaults, and hence delete all backed up data that is present on the device," HP wrote in the security bulletin.
NEXT: Patch For Older HP StoreOnce Deduplication Appliances SoonHP said its latest StoreOnce B6200 physical appliance and HP StoreOnce VSA virtual storage appliance are not impacted by the vulnerability. The company also said it expects to have a software patch for its older StoreOnce products available for customer downloads on July 7.
The HP spokesperson declined to say whether HP issued its StoreOnce security bulletin in response to the Technion blog post.
HP has done a good job with regular patches and updates to its products over the years, said Dave Butler, president of Enterprise Computing Solutions, a Mission Viejo, Calif.-based solution provider and HP partner.
"Not too much or too little," Butler said. "Just regularly across the board. This is the first I've heard of this security issue. Over the years, the only concern I had with HP patches and updates is when a customer's power goes out and they weren't able to update something when they thought they did it."
PUBLISHED JUNE 26, 2013