Number: IRCNE2013061891
Date: 2013/06/29
According to “zdnet”, HP confirmed on Wednesday that older versions of its StoreOnce enterprise storage systems have a security flaw, which could potentially allow hackers access to vast amounts of corporate data.
The researcher who discovered the flaw disclosed it on his blog after his three weekly requests for an update have "gone ignored."
The flaw involves a hidden administrative account that isn't disclosed. There may be concerns that HP could, in theory, access corporate and user data, the researcher noted, but warned that the SHA1 password can easily be brute forced in plain text by hackers.
Now that the SHA1-hashed password has been published, anyone can potentially crack it and access systems with this "hidden" administrative account. It's not clear at the time of writing whether anyone has yet, however.
An HP spokesperson added in its statement, which seemed to suggest that the computer maker itself had discovered the flaw, that it "identified a potential security issue with older HP StoreOnce models." HP said that it does not affect systems with current version 3.0 software, "including the HP StoreOnce B6200 and HP StoreOnce VSA product offerings."
HP has now disclosed the flaw in a public disclosure note, as of Wednesday, and a software patch will be issued on July 7 to "disable the undocumented HP Support user account."
- 2