HP Acknowledges SAN Password Vulnerability

Every HP MSA2000 G3 storage area network (SAN) has a password vulnerability: a hidden user with the username "admin" -- or in some cases "manage" -- and "!admin" as a password.

So said an anonymous warning posted on Monday to Bugtraq. The warning added: "This user doesn't show up in the user manager, and the password cannot be changed -- looks like the perfect backdoor for everybody."

In an email to the Bugtraq mailing list, computer security consultant Pavel Kankovsky confirmed that the hidden, default user exists on a P2000 G3 storage area network. But he also indicated that there's a workaround through the command line interface (CLI): "The user was invisible but I was able to change its password in CLI with 'set password admin password.'" He noted that the change eliminated the default password.

In a statement, HP also confirmed the vulnerability. "HP identified a potential security issue with the HP StorageWorks P2000 G3 MSA only. This does not impact HP's entire MSA line of storage solutions. HP has identified an immediate fix for this issue and is rapidly informing customers of the solution."

This disclosure of a default -- and now well-known -- password in HP's SAN product comes on the heels of last month's warning from Cisco that its Unified Videoconferencing product contains hard-coded passwords. An attacker could use this vulnerability to gain access to the machine and harvest all of its passwords.

Likewise, the Stuxnet malware seeks to exploit Siemens' WinCC systems by exploiting a hard-coded, default password therein.

Default or hard-coded passwords are easy to add into products, which coders often do during development and debugging. "The practice, while thankfully less common today, occurs frequently as app developers are more focused on the development/release cycle of the app, or software running a device -- in this case -- than the security of that application itself," said Adam Bosnian, executive VP for the Americas and corporate development for security vendor Cyber-Ark.

But after hardware ships, default passwords are difficult to expunge. "While the industry has focused mostly on the elegance of how a virus like Stuxnet got into organizations, the bottom line is that these hard-coded passwords are the key vulnerability that they leverage -- they're the new attack point because of the powerful access and control they grant the user on the target device, and potentially throughout an organization," said Bosnian.