The backdoor allegedly present in StoreOnce products since 2009 was made public by Technion and the blogger claimed that using the correct password would provide anyone with administrative access to the system. In a security advisory, HP has accepted the presence of a vulnerability that “could be remotely exploited to gain unauthorized access to the device.”
“All HP StoreVirtual Storage systems are equipped with a mechanism that allows HP support to access the underlying operating system if permission and access is provided by the customer. This functionality cannot be disabled today.”
HP will be providing its customers with a patch that will disable the support access mechanism by July 17. Root access, if required to resolve complex support calls, will be obtained through customers’ consent using a one-time challenge response mechanism. The one-time password so generated cannot be used again thereby keeping customer’s systems safe from replay attacks.