LeftHand OS (aka SAN iQ) 10.5 and earlier on HP StoreVirtual Storage devices does not provide a mechanism for disabling the HP Support challenge-response root-login feature, which makes it easier for remote attackers to obtain administrative access by leveraging knowledge of an unused one-time password.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| San/iq | Hp | * | 10.5 (including) |
| San/iq | Hp | 8.0 (including) | 8.0 (including) |
| San/iq | Hp | 8.1 (including) | 8.1 (including) |
| San/iq | Hp | 8.5 (including) | 8.5 (including) |
| San/iq | Hp | 9.0 (including) | 9.0 (including) |
| San/iq | Hp | 9.5 (including) | 9.5 (including) |
| San/iq | Hp | 10.0 (including) | 10.0 (including) |
References
- http://www.theregister.co.uk/2013/07/09/hp_storage_more_possible_backdoors/
- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03825537
- http://www.theregister.co.uk/2013/07/09/hp_storage_more_possible_backdoors/
- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03825537