HPE tape library permits unauthorised remote access

HP Enterprise has warned that its StoreEver MSL6480 Tape Library is at risk of allowing “remote unauthorized disclosure of information.”

As the MSL6480 can store up to 8.4 petabytes when all 560 of its slots are filled with LTO-7 tapes, that's rather a lot of data at risk.

The problem isn't entirely HPE's fault: it derives from CVE-2016-5385, a flaw in PHP that means the scripting language “does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request”.

Oracle addressed the problem in late September, when it offered a patch for its Linux Distribution. Red Hat and Fedora have done likewise.

It looks like HPE popped out new firmware in late October. Public CERT notices started flowing this week.

“The information in this Security Bulletin should be acted upon as soon as possible,” says HPE's advisory, which says libraries firmware version 5.10 sorts things out. That 63.6MB file is yours for the downloading here.

The MSL6480's peak output is 45 terabytes an hour. So hopefully if someone was hammering your library, you'd notice some rather interesting network behaviour to tip you off to an exfiltration party. If you can't spot that kind of activity, oh dear.

Sorry if this spoiled your weekend, storage admins. ®