Backdoor in HP StoreOnce backup systems discovered

By Tuesday, June 25, 2013 0 , Permalink 0

One of the high-priced software from HP, the StoreOnce backup systems cost over €12,000 for a version that supports 12 1TB drives. HP provides its StoreOnce Catalyst software with the backup system which explains why the system is expensive. HP claims that the deduplication functionality of the system reduces the overall size of data backups by up to 95 per cent.

The researcher going by the pseudonym Technion has claimed that he has been in touch with HP for weeks now but, his update requests are being ignored. The researcher is of opinion that HP’s behavior despite being involved in Zero Day Initiative (ZDI) is unacceptable.

Disclosing the details of the backdoor, Technion has published the password required for the ‘HPSupport’ username but, in a SHA1 hash. Now considering that SHA1 hashes can be brute forced, the actual password string, which is claimed to be of 7 characters, will be out very soon.

This is not the first time that a backdoor in the form of a service account has been discovered in HP products. Back in December 2010, HP’s network storage solution StorageWorks P2000 G3 was reported to have such a backdoor which opened complete access to the system.