HP storage server 'backdoor' flaw to be patched

Summary:The server and storage giant says a patch that could be remotely exploited to gain unauthorized access to the device will be patched later in July.

HP said in a security bulletin on Tuesday it will patch a security vulnerability that allows remote unauthorized access to its StoreVirtual products.

The patch is expected to land in a week's time — on or before July 17, the company said.

The "backdoor" flaw allows HP support to access the core in-built operating system, LeftHand OS, which is not accessible to the end user. While some access is provided via the command-line interface, root access is blocked.

For some "complex issues" HP can dial into the software with root access with a one-time password, which protects from repeated access to the system.

HP confirmed that the vulnerability "could be remotely exploited to gain unauthorized access to the device." 

The notice confirms that root access to the underlying operating system does not provide access to stored user data. But according to The Register, one user with 50TB of data was able to use this vulnerability to access reboot nodes in a cluster, "and so cripple the cluster."

"All HP StoreVirtual Storage systems are equipped with a mechanism that allows HP support to access the underlying operating system if permission and access is provided by the customer. This functionality cannot be disabled today," the advisory noted.

Topics: Security, Privacy

About

Zack Whittaker writes for ZDNet, CNET, and CBS News. He is based in New York City.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.