Sign in / up

back to article HP closes StoreVirtual backdoor, slings key

Hewlett-Packard has issued a patch for the StoreVirtual vulnerability under which an undocumented factory account existed in a number of products running its LeftHand (or SAN iQ) software older than version 10.5. The vulnerability was brought to the attention of The Register (and of HP) by blogger Technion, who had earlier …

COMMENTS

House rules Send corrections
This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    That sounds like it should effectively restrict access to approved NSA HP operatives only.

    Awesome.

    1 0
  2. Down not across

    Still not thrilled about the idea of remote access without requirement of physical local ACK to allow it, as challenge-response without requiring acknowledgment locally is still remotely exploitable. Before anyone jumps in "no sane person connects...", remote could be within a corporate network or even within management LAN as VLANs are not exactly unexploitable.

    Mind you, it is still better than (a now known) static password.

    1 0
    1. Nate Amsden
      Reply Icon

      remote access is pretty common

      for enterprise storage at least... I suspect with the lefthand stuff it is much less frequently used as it's more of a end-user supported product. Though for HP 3PAR (and 3PAR before HP bought em) standard policy is to provide support will full admin access to the system via a dedicated server on the network.

      This is not required, the customer can tell HP (as part of the setup) that this is not allowed for them, though I suspect most customers do allow it (I always have). Support is very open about when they make changes(they ask permission for everything). This provides means for remote diagnostics, as well as software upgrades etc.

      Another option (which may or may not be available anymore I'm not sure) was to have a dial up line for support to call into instead of going over the internet.

      I remember there was one big customer a few years back that did not allow any connectivity at all, no inbound, and no outbound (one outbound option is for email alerts to 3PAR). They didn't allow anything. So an engineer had to come on site once a week or something like that to inspect the system and make sure there was no alerts. I think they probably wouldn't do that for a small customer(frequent proactive on site visits) but this was a really really big one.

      0 0
This topic is closed for new posts.

Other stories you might like