HP enterprise storage systems suffer 'secret' admin account flaw

The computer and server maker is working hard on a fix to a security flaw in one of its enterprise systems, which could allow unauthorized access to corporate data.

Some HP StoreOnce servers affected by a "secret" admin account flaw. Image via ZDNet Japan

HP confirmed on Wednesday that older versions of its StoreOnce enterprise storage systems have a security flaw, which could potentially allow hackers access to vast amounts of corporate data.

The computer maker told ZDNet in a statement that it is "working actively on a fix" for the flaw.

Read this

Five security risks of moving data in BYOD era

Unregulated network access, lack of data management and disgruntled employees are some top risks companies face in terms of safeguarding data even as employees use their mobile devices for work.

Read More

These enterprise systems at the source of the flaw can cost into the tens of thousands of dollars per unit. The researcher who discovered the flaw disclosed it on his blog after his three weekly requests for an update have "gone ignored."

The flaw involves a hidden administrative account that isn't disclosed. There may be concerns that HP could, in theory, access corporate and user data, the researcher noted, but warned that the SHA1 password can easily be brute forced in plain text by hackers.

Now that the SHA1-hashed password has been published, anyone can potentially crack it and access systems with this "hidden" administrative account. It's not clear at the time of writing whether anyone has yet, however.

An HP spokesperson added in its statement, which seemed to suggest that the computer maker itself had discovered the flaw, that it "identified a potential security issue with older HP StoreOnce models." HP said that it does not affect systems with current version 3.0 software, "including the HP StoreOnce B6200 and HP StoreOnce VSA product offerings."

The researcher noted that HP, which counts itself as a member of the Zero Day Initiative — a group that pays security researchers bounties for submitting security flaws — is "somewhat immune to" the philosophy that vulnerabilities should be disclosed.

HP has now disclosed the flaw in a public disclosure note, as of Wednesday, and a software patch will be issued on July 7 to "disable the undocumented HP Support user account."