HP released an advisory stating that a patch would be available on July 7th to address a security flaw left exposed on their D2D StoreOnce appliances. In versions previous to 3.0.0, an undocumented account is open on the system and can provide elevated access to the device. The advisory is available here. The exploit was reported here, where the author also states that he tried to update HP about the exploit without success. He made additional comments that raises a conversation. Is software installed onto a server with disk drives really a purpose built backup appliance?
Purpose built backup appliances are designed from the hardware up through the connectivity protocols to be integrated into the backup infrastructure. This includes an optimized operating system, use of a custom file system, advanced data integrity checking, integrated encryption key management, and a variable length block based deduplication algorithm. Most often the alternative is a whitebox or OEM server that has a software suite installed on top of it running inferior dedupe and providing no hardware or software level integrity verification. Sure I can go out into my garage and download opendedup, install it on a server I cobble together with parts from Newegg, and call it my “Gotdedupe PBBA”. But it’s not. When you are considering which appliance you are going to add to your backup infrastructure, be sure you are comparing apples to apples. Data integrity, and hardware optimized for data protection workloads are not just nice to have features any more. This is your storage of last resort and that data has to be available when you ask for it.