In the continuing wake of PRISM fallout, many high profile companies have had their own dirty laundry exposed to consumer scrutiny. However, not all scandals are created equal with different companies exhibiting poor design and even poorer execution. Case in point: HP has an undocumented administrator backdoor with poor password strength hiding in its StoreVirtual enterprise virtual hosting service.
HP admits that the undocumented backdoor account is a significant vulnerability and will be patching the weak-password protected root access account as soon as possible.
This sounds great. It's possible to spin this in HP's favor by showing that the company is a proactive, security first enterprise solutions provider who holds the safety of its consumer's data in the highest regard. At least that would be possible until someone noticed that this security vulnerability has been in place on the StoreVirtual service since 2009.
An Old Flaw brought to new light
That's right, HP has known about a backdoor in its enterprise virtual hosting service for five years and has done nothing to repair the problem while leaving a root access vulnerability protected behind a weak password that would not be allowed on Facebook.
With very little time or work, root access to large enterprise virtual hosting solutions would be available and with it the power to take entire nodes offline and even resetting the entire enterprise solution to factory default causing all data to be lost.
To be clear, data on the StoreVirtual service would not be visible to unauthorized users of the backdoor vulnerability and organizations that used proper storage backup procedures would be able to recover any lost or destroyed data with minimal downtime.
When Will They Learn?
With all the bad feelings and finger pointing that has followed the revelation of governmental spying and collusion with the most powerful data service providers, companies are in need of positive spin and goodwill. Idiotic vulnerabilities and undocumented backdoor access is not something that can continue in this new climate of distrust.
Companies have to take security and vulnerabilities seriously if they wish to survive the increased scrutiny of today's informed consumers