Hewlett Packard (NYSE: HPQ) has confirmed that every HP StorageWorks P2000 G3 MSA SAN (Storage Area Network) that has been sold comes with a critical security vulnerability in the form of a secret user account. The fiasco came to light in an anonymous warning posted on the security-centric electronic mailing list Bugtraq, which observed that "This user doesn't show up in the user manager, and the password cannot be changed--looks like the perfect backdoor for everybody."

The hidden user is either "admin" or "manage," and comes with a fixed password of "!admin" that poses a threat to organizations that deploy the SAN, and is also an embarrassment to HP. The use of hardcoded passwords in appliances stems from past practices where it was assumed that such backdoors into the system will never be found out. It is not known in this situation whether the hidden account was an oversight by an engineer, though HP was quick to clarify that this vulnerability does not impact other models on HP's MSA line of storage solutions.

Update: HP has written-in about a fix that can be accessed here.

For more on this story:
- check out this article at InformationWeek
- check out this article at The Inquirer

Related Articles:
Oracle vs. Hewlett Packard 
SOUND OFF: What CIOs should consider before cloud adoption 
Cloud spurs new rivalries among IT vendors 
HP shows off tablet for new PhotoSmart printer