HP storage server 'backdoor' flaw to be patched

HP storage server 'backdoor' flaw to be patched

Summary: The server and storage giant says a patch that could be remotely exploited to gain unauthorized access to the device will be patched later in July.

TOPICS: Security, Privacy

HP said in a security bulletin on Tuesday it will patch a security vulnerability that allows remote unauthorized access to its StoreVirtual products.

The patch is expected to land in a week's time — on or before July 17, the company said.

The "backdoor" flaw allows HP support to access the core in-built operating system, LeftHand OS, which is not accessible to the end user. While some access is provided via the command-line interface, root access is blocked.

For some "complex issues" HP can dial into the software with root access with a one-time password, which protects from repeated access to the system.

HP confirmed that the vulnerability "could be remotely exploited to gain unauthorized access to the device." 

The notice confirms that root access to the underlying operating system does not provide access to stored user data. But according to The Register, one user with 50TB of data was able to use this vulnerability to access reboot nodes in a cluster, "and so cripple the cluster."

"All HP StoreVirtual Storage systems are equipped with a mechanism that allows HP support to access the underlying operating system if permission and access is provided by the customer. This functionality cannot be disabled today," the advisory noted.

Topics: Security, Privacy

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • Stuff Linda

    I am requesting user 'mona lasser' and her IP address be banned from ZDNet in perpetuity. Shut the spammers down now.