Memo to HP: A backdoor is not a vulnerability

Technion, a blogger who maintains, recently disclosed a backdoor in StoreOnce 4210 product, an HP storage hardware for enterprise users.

He revealed the username and password of the backdoor here.

How did HP respond?

By issuing a security bulletin that misleads by passing the backdoor off as a bug – a vulnerability. The complete content of the security bulletin follows:

A potential security vulnerability has been identified with the HP StoreVirtual Storage. This vulnerability could be remotely exploited to gain unauthorized access to the device.

All HP StoreVirtual Storage systems are equipped with a mechanism that allows HP support to access the underlying operating system if permission and access is provided by the customer. This functionality cannot be disabled today.

HP StoreVirtual products are storage appliances that use a custom operating system, LeftHand OS, which is not accessible to the end user. Limited access is available to the user via the HP StoreVirtual Command-Line Interface (CLiQ) however root access is blocked.

Root access may be requested by HP Support in some cases to help customers resolve complex support issues. To facilitate these cases, a challenge-response-based one-time password utility is employed by HP Support to gain root access to systems when the customer has granted permission and network access to the system. The one-time password utility protects the root access by preventing repeated access to the system with the same pass phrase. Root access to the LeftHand OS does not provide access to the user data being stored on the system.

Anybody with half a brain knows that HP is lying. A vulnerability is an unintentioned coding error. It happens all the time and can happen to any coder – guru or beginner. And a backdoor? That’s a well-placed block of code that gives a coder access to a device or software, bypassing any security tool used to prevent access to it by unauthorized persons. In other words, a backdoor does not happen by accident. It is intentionally designed and inserted into a product by a coder.

Related Posts

Upgrade the kernel on Linux Mint 17.2 If you recently upgraded an installation of Linux Mint 17.1 to Linux Mint 17.2, you'll still be using the same kernel, which should be Linux kernel 3....
Samba 4.0 has been released The Samba development team has just announced the release of Samba 4.0. Samba is a Free Software implementation of SMB/CIFS protocols, which makes...
Ubuntu is not a community distribution That should be obvious to anybody who's been following the development of Ubuntu, but for those who have not, here's the deal: Ubuntu is not a communi...
Create an app for MintChip and win 10 oz of GOLD or 1 Gold Wafer No, this has nothing to do with Linux Mint or Linux Mint Debian Edition. What it is, is an attempt by the Royal Canadian Mint to create an alternative...
Troubleshooting containers after they’re long gone Every sysadmin, operator, and even app developer has been there. There’s a spike in your dashboard and your #alerts Slack channel is firing off. Somet...
Google Glass now in open beta. You can have one for just $1500 If you missed out on the Google Glass one-day sale in April, here's another chance to get your own copy of a Google Glass, courtesy of the Google Glas...

We Recommend These Vendors and Free Offers

ContainerizeThis 2016 is a free, 2-day conference for all things containers and big data. Featured, will be presentations and free, hands-on workshops. Learn more at

Launch an SSD VPS in Europe, USA, Asia & Australia on Vultr's KVM-based Cloud platform starting at $5:00/month (15 GB SSD, 768 MB of RAM).

Deploy an SSD Cloud server in 55 seconds on DigitalOcean. Built for developers and starting at $5:00/month (20 GB SSD, 512 MB of RAM).

Want to become an expert ethical hacker and penetration tester? Request your free video training course of Online Penetration Testing and Ethical Hacking

Whether you're new to Linux or are a Linux guru, you can learn a lot more about the Linux kernel by requesting your free ebook of Linux Kernel In A Nutshell.

Leave a Comment

Your email address will not be published. Required fields are marked *