CVE-2013-2352

critical

Published 2013-07-10 · Modified 2026-04-29

CVSS v3

—

CVSS v2

9.4

VIR risk

9.4

Description

LeftHand OS (aka SAN iQ) 10.5 and earlier on HP StoreVirtual Storage devices does not provide a mechanism for disabling the HP Support challenge-response root-login feature, which makes it easier for remote attackers to obtain administrative access by leveraging knowledge of an unused one-time password.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: hp-security-alert@hp.com — https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03825537

Application impact

Vendor	Product	Versions
hp	san\/iq	`{"endIncluding":"10.5"}`
hp	san\/iq	`8.0`
hp	san\/iq	`8.1`
hp	san\/iq	`8.5`
hp	san\/iq	`9.0`
hp	san\/iq	`9.5`
hp	san\/iq	`10.0`

References

http://www.theregister.co.uk/2013/07/09/hp_storage_more_possible_backdoors/
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03825537
http://www.theregister.co.uk/2013/07/09/hp_storage_more_possible_backdoors/
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03825537

CWEs

CWE-255

Verify integrity in audit chain (admin only). AS-IS.