Security experts discovered unchangeable admin account in HP StoreOnce SAN system software. According to specialist called Technion, he was trying to reach HP for couple of weeks, but the company did not react on the existing vulnerability. That was the reason why he published information on the flaw.
“My last three weekly requests for an update have gone ignored,” stated Technion.
As stated by security expert, when developing a product a vendor admin account is created not to waste time with password recovery. Sometimes those accounts stay in the product because developers forget to remove them.
Despite the fact that Technion did not publish the whole password, H Online says that it consists of seven symbols. Moreover, the password draws on a ten-year old meme.
This not the first case of the type. Thus, in 2010, HP’s StorageWorks P2000 G3 MSA had a similar undocumented account. At that time the admin account password could be changed by users through the command line interface. It is not known so far if the StoreOnce admin account can be secured in the same way.