HP storage server 'backdoor' flaw to be patched

The server and storage giant says a patch that could be remotely exploited to gain unauthorized access to the device will be patched later in July.

HP said in a security bulletin on Tuesday it will patch a security vulnerability that allows remote unauthorized access to its StoreVirtual products.

The patch is expected to land in a week's time — on or before July 17, the company said.

Read this

HP updates server, storage and networking line-ups

HP's new hardware additions land as the company's global partner conference kicks off.

Read More

The "backdoor" flaw allows HP support to access the core in-built operating system, LeftHand OS, which is not accessible to the end user. While some access is provided via the command-line interface, root access is blocked.

For some "complex issues" HP can dial into the software with root access with a one-time password, which protects from repeated access to the system.

HP confirmed that the vulnerability "could be remotely exploited to gain unauthorized access to the device." 

The notice confirms that root access to the underlying operating system does not provide access to stored user data. But according to The Register, one user with 50TB of data was able to use this vulnerability to access reboot nodes in a cluster, "and so cripple the cluster."

"All HP StoreVirtual Storage systems are equipped with a mechanism that allows HP support to access the underlying operating system if permission and access is provided by the customer. This functionality cannot be disabled today," the advisory noted.