I nearly dropped a cup of tea earlier today when I saw the following mail on BugTraq.
Hi, i just found out that there is a hidden user on every HP MSA2000 G3 SAN out there:
username: admin
password: !admin
this user doesnt show up in the user manager, and the password cannot be changed - looks like the perfect backdoor for everybody.
Now, I know there can be accounts for support personnel and the like but setting an admin password to !admin strikes me as being one step away from having the password be password or just a carriage return.
Turning to Twitter to confirm or deny the validity of the above HP user Hans De Leenheer confirmed the user existed, wasn’t shown in the user manager, the password was as given but it could be changed from the CLI. And he did all this as he changed the passwords on his systems to something fitting his company policy while distributing the information amongst his peers.
Consider this a good working practice notification to HP P2000 users, change the password in the admin account to something more secure and be sure to document it correctly in case it’s required later.
