HPE to fix enterprise storage remote root access flaw

Hewlett Packard Enterprise will release patches later this month to address a major vulnerability that potentially allows attackers to gain administrator-level privileges to a range of its enterprise storage products. 

The remote access backdoor is open by default and cannot be disabled by customers. 

Sydney-based researcher Joshua Small discovered the vulnerability, which HPE acknowledged can be "remotely exploited to gain unauthorised access to the device".  

Patches will be issued on July 18 Australian time for the LeftHand operating system and SAN/iQ software, HPE said.

The backdoor was implemented in HP StoreVirtual and other storage devices to provide support staff access in order to assist customers with complex problems. 

While customers are asked to grant permission to HPE support to access their networks and devices, there is currently no way to turn off the backdoor, which uses a hard-coded admin password. 

While the backdoor does not provide access to customer data, it can be abused by attackers to tamper with the devices themselves, including to change or delete storage configurations. 

HPE said only LeftHand OS or SAN iQ software versions 10.5 and earlier are affected by the vulnerability. 

The company's P4300, P4500 (G1 and G2), P4800, P4900 (G2) and P4000 VSA devices are affected by the vulnerability, along with the StoreVirtual 4130, 4330, 4530, 4630, 4730 and VSA, as well as the HP DL320S. 

HPE's LeftHand NSM2060 and 2120 G1 and G2 are also vulnerable, including the LeftHand VSA. 

The Dell PowerEdge 2950 and IBM System x3650 servers also contain the root access backdoor.