HP StorageWorks P2000 G3 MSA hardcoded user

Published: 2010-12-15
Last Updated: 2010-12-17 01:28:22 UTC
by Manuel Humberto Santander Pelaez (Version: 2)
1 comment(s)

An encoded user was identified in the HP StorageWorks MSA G3 P2000, which does not appear in the user management system, which allows an attacker to access sensitive information stored on the device and other connected systems.

Username: admin

Password: !admin

It is difficult to make any forecast on this type of vulnerability, we recommend maintaining security baselines for all the infrastructure implemented in accordance with the recommendations of each manufacturer. Thus, we can manage the risks arising from use of these platforms without affecting performance or the result of business processes.

More information at http://www.securityweek.com/backdoor-vulnerability-discovered-hp-msa2000-storage-systems.

UPDATE (Joel):  HP has posted a fix at: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c02662287

(Thanks to "jt" in the comments)

-- Manuel Humberto Santander Peláez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org

1 comment(s)

Comments

Looks like HP has put out a fix.
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c02662287

Diary Archives