HP BACKUP SERVER VULNERABIITY

SSH access, according to security researcher Technion, is all that's required to remotely compromise HP StoreOnce backup systems. All that one needs to do is enter the user name "HPSupport" and a preset password which will then open an undocumented administrator account.

These systems are not low end products. A version with twelve 1TB costs more than 12,000 pounds. That's about $18,000. What makes it so expensive is the StoreOnce Catalyst software included with the server. According to HP, the product's deduplication functionality reduces the size of data backups by up to 95 per cent.

In his post disclosing the vulnerability, Technion complains that HP has spent three weeks stalling him rather than doing something about the vulnerability. He says that, given that HP is responsible for vulnerability broker Zero Day Initiative (ZDI), its behavior is unacceptable. Vendors are given 60 days to resolve vulnerabilities.

Technicon has also disclosed the SHA1 hash for the password to access the account. Hashes can be brute forced to obtain the password. It won't be long before the decrypted string is circulating on the usual forums. The password is comprised of seven characters and draws on a ten year old meme.

Since HP was reported as having an identical security vulnerability back in December of 2010, Technion considers the StoreOnce vulnerability to be inexcusable. In that case, it was at least possible to change the password. Whether this is the case for StoreOnce systems is not yet known.