Networking

12:51 PM
Connect Directly
RSS
E-Mail
50%
50%

HP Acknowledges SAN Password Vulnerability

StorageWorks P2000 G3 storage area network administrators are advised to disable a now well-known default password.




Slideshow: 11 Leading Data Warehousing Appliances
(click for larger image and for full slideshow)
Every HP MSA2000 G3 storage area network (SAN) has a password vulnerability: a hidden user with the username "admin" -- or in some cases "manage" -- and "!admin" as a password.

So said an anonymous warning posted on Monday to Bugtraq. The warning added: "This user doesn't show up in the user manager, and the password cannot be changed -- looks like the perfect backdoor for everybody."

In an email to the Bugtraq mailing list, computer security consultant Pavel Kankovsky confirmed that the hidden, default user exists on a P2000 G3 storage area network. But he also indicated that there's a workaround through the command line interface (CLI): "The user was invisible but I was able to change its password in CLI with 'set password admin password.'" He noted that the change eliminated the default password.

In a statement, HP also confirmed the vulnerability. "HP identified a potential security issue with the HP StorageWorks P2000 G3 MSA only. This does not impact HP's entire MSA line of storage solutions. HP has identified an immediate fix for this issue and is rapidly informing customers of the solution."

This disclosure of a default -- and now well-known -- password in HP's SAN product comes on the heels of last month's warning from Cisco that its Unified Videoconferencing product contains hard-coded passwords. An attacker could use this vulnerability to gain access to the machine and harvest all of its passwords.

Likewise, the Stuxnet malware seeks to exploit Siemens' WinCC systems by exploiting a hard-coded, default password therein.

Default or hard-coded passwords are easy to add into products, which coders often do during development and debugging. "The practice, while thankfully less common today, occurs frequently as app developers are more focused on the development/release cycle of the app, or software running a device -- in this case -- than the security of that application itself," said Adam Bosnian, executive VP for the Americas and corporate development for security vendor Cyber-Ark.

But after hardware ships, default passwords are difficult to expunge. "While the industry has focused mostly on the elegance of how a virus like Stuxnet got into organizations, the bottom line is that these hard-coded passwords are the key vulnerability that they leverage -- they're the new attack point because of the powerful access and control they grant the user on the target device, and potentially throughout an organization," said Bosnian.

Comment  | 
Print  | 
More Insights
Hot Topics
12
White-Box Switches: Are You Ready?
Tom Hollingsworth 7/28/2014
7
Understanding IPv6: Link-Local 'Magic'
Denise Fishburne, Cisco Champion,  7/24/2014
4
Network Security: An Oxymoron In The Cloud Era?
Rajat Bhargava, Co-Founder & CEO, JumpCloud,  7/22/2014
White Papers
Register for Network Computing Newsletters
Cartoon
Current Issue
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Video
Slideshows
Twitter Feed