HP builds secret backdoors into its storage products

Kevin Fogarty at Slashdot: “For the second time in a month, Hewlett-Packard has been forced to admit it built secret backdoors into its enterprise storage products.” READ THE REST

Not only are they building in backdoors, they are totally sucking at it.

SSH has, under ordinary circumstances, two login modes: password auth and keypair auth.

Password auth, barring a really good password and atypically robust hashing scheme, is the weaker of the two, and pitifully vulnerable to anybody with access to the password hash(ie. anybody who owns or has access to one of these devices or a firmware image they can unpack).

Keypair auth requires revealing only an RSA public key(which is added to the authorized keys file on the system), and only possession of the matching private key will get you in. Barring presently-unknown advances in computer power or prime factorization, this one is functionally unbreakable, regardless of whether you know the public key or not.

Guess which one they used?

(As an aside, I can attest to HP’s security response being utterly dreadful. Back when we were using one of their systems at work, I found a priviledge escalation vulnerability, kiosk user -> root, and hammered at them for over a month with no response. Just crickets. They just don’t give a damn, or if they do they can’t find it.)

sha1 hash 78a7ecf065324604540ad3c41c3bb8fe1d084c50 = badg3r5

We don’t use HP storage, but as a fairly large hospital IT department we do use scads and scads of storage, and this is the kind of thing that’s going to give the information-governance people a magnificent headache.

This topic was automatically closed after 5 days. New replies are no longer allowed.