HP enterprise storage systems suffer 'secret' admin account flaw

Summary:The computer and server maker is working hard on a fix to a security flaw in one of its enterprise systems, which could allow unauthorized access to corporate data.

Some HP StoreOnce servers affected by a "secret" admin account flaw. Image via ZDNet Japan

HP confirmed on Wednesday that older versions of its StoreOnce enterprise storage systems have a security flaw, which could potentially allow hackers access to vast amounts of corporate data.

The computer maker told ZDNet in a statement that it is "working actively on a fix" for the flaw.

These enterprise systems at the source of the flaw can cost into the tens of thousands of dollars per unit. The researcher who discovered the flaw disclosed it on his blog after his three weekly requests for an update have "gone ignored."

The flaw involves a hidden administrative account that isn't disclosed. There may be concerns that HP could, in theory, access corporate and user data, the researcher noted, but warned that the SHA1 password can easily be brute forced in plain text by hackers.

Now that the SHA1-hashed password has been published, anyone can potentially crack it and access systems with this "hidden" administrative account. It's not clear at the time of writing whether anyone has yet, however.

An HP spokesperson added in its statement, which seemed to suggest that the computer maker itself had discovered the flaw, that it "identified a potential security issue with older HP StoreOnce models." HP said that it does not affect systems with current version 3.0 software, "including the HP StoreOnce B6200 and HP StoreOnce VSA product offerings."

The researcher noted that HP, which counts itself as a member of the Zero Day Initiative — a group that pays security researchers bounties for submitting security flaws — is "somewhat immune to" the philosophy that vulnerabilities should be disclosed.

HP has now disclosed the flaw in a public disclosure note, as of Wednesday, and a software patch will be issued on July 7 to "disable the undocumented HP Support user account."

Topics: Hewlett-Packard, Data Centers, Privacy, Security


Zack Whittaker is a writer-editor for ZDNet, and sister sites CNET and CBS News. He is based in the New York newsroom. His PGP key is: EB6CEEA5.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.