back to article FYI: If you're running HP Device Manager, anyone on your network can get admin on your server via backdoor

HP Device Manager, software that allows IT administrators to manage HP Thin Client devices, comes with a backdoor database user account that undermines network security, a UK-based consultant has warned. Nicky Bloor, founder of Cognitous Cyber Security, reports that an HP Inc programmer appears to have set up an insecure user …

  1. Anonymous South African Coward Silver badge

    HP = Hoi Polloi, Hire Purchase, Hickey Puters....

  2. Tom Chiverton 1


    So, Linux boxes fine then?

  3. Chairman of the Bored

    Have a pint

    How many of us (myself specifically included) would have blown right past the log entry? Nicely done, sir.

    1. NickstaDB

      Re: Have a pint

      I probably wouldn't have spotted the log either TBH! I spotted the user in the database first, then searched the app and files for references to it which led me to the log.

  4. Why Not?

    Oh dear

    Admin users with default weak passwords where have I heard that before?

    Oh yes even senators understand that is bad, come on HP.

  5. Andy The Hat Silver badge

    Those damn Chinese state-enforced back doors discovered again ... What? You sure it's not Chinese?

  6. Oh Matron!

    Dare I say...

    All your (data)base are belong to su...

  7. A random security guy

    Shouldn't we mandate the removal of username/passwords for databases?

    The question is, where is the password kept? The hacker is probably more interested in finding out which script or file the password is stored in.

  8. mark jacobs

    How can you tell if you're affected?

    How do you know if a PC is running HP Device Manager?

  9. Bold Sir Robin

    I'll give them 1 out of 10

    ...for setting the password to one space, rather than 123456...

    1. Mage

      Re: I'll give them 1 out of 10

      Or letmein, the default on Sage Line 50 that people rarely changed.

      How hard is to have a 1st use screen where it explains about the address book kept in the safe that's used for passwords and prompts for a new password and then run a cracking tool rather than just count the number and types of characters?

      Oh, and keep an off site copy securely too.

      One company I know used a spreadsheet saved in Office 365 for ALL the company passwords!

      Paper is more secure and can be more easily secured.

    2. NickstaDB

      Re: I'll give them 1 out of 10

      Haha, oh that was a painful discovery. I ran a 1-8 character alphanumeric bruteforce attack on the password hash, then several dictionary and rule combinations before cracking that password.

  10. Mage

    One solution

    Don't install HP drivers or software? I'm wary after the driver that LATER disabled working 3rd party toner cartridges.

    I remember when HP was really good. I think sometime before they bought Compaq and realised how much money ink could make. And they did real test gear in those days too.

    What does this HP Device Manager actually do?

    1. Anonymous Coward
      Anonymous Coward

      Re: One solution

      "What does this HP Device Manager actually do?"

      From the HP link in the article:

      "Make it easy for your IT admins to remotely deploy, update, and manage thousands of HP Thin Clients from anywhere1 through a single console with HP Device Manager, a tool included with HP Thin Clients at no extra cost."

  11. Lorribot

    Developers, gotta love them.

    I love developers, they are such unrestrained crazy people who make me laugh so much with their out there ideas on security and I admire their attitude to get things done to deliver the project on time no matter what.

  12. Anonymous Coward
    Anonymous Coward

    The difficulty with the suggested fix

    Is in accessing port 40006 ¼.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like