EMC and endless stupid passwords

Share Button

Just installed an EMC XtremIO v3 box, and yes, between it and the EMC VSI for VMware web client plugin, since they’ve screwed people who use the thick client, we now have at least another twelve usernames and passwords to worry about.  EMC loves to create tons of ways to get into their hardware and software that are very hard to find, change or even ensure you know they exist; I’ve really started to get fed up with it.  There’s no way to safely operate a network with EMC components if any portion of that network where those components reside has computers present that you would not trust being able to gain administrative access to your EMC gear, since chances are any user at one of those machines probably could gain access if they wanted to.

The XtremIO box comes with all of the following:

XtremIO Management Server (XMS)
Username: xmsadmin
<v2.4 password: 123456
>v2.4 password: Xtrem10

XtremIO Management Secure Upload (via SCP utility)*
Username: xmsupload
Password: xmsupload

XtremIO Management Command Line Interface (XMCLI)
Username: tech
<v2.4 password: 123456
>v2.4 password: X10Tech!

XtremIO Management Command Line Interface (XMCLI)
Username: admin
<v2.4 password: 123456
>v2.4 password: Xtrem10

XtremIO Graphical User Interface (XtremIO GUI)
Username: tech
<v2.4 password: 123456
>v2.4 password: X10Tech!

XtremIO Graphical User Interface (XtremIO GUI)
Username: admin
<v2.4 password: 123456
>v2.4 password: Xtrem10

XtremIO Easy Installation Wizard (on storage controllers / nodes)
Username: xinstall
Password: xiofast1

XtremIO Easy Installation Wizard (on XMS)*
Username: xinstall
Password: xiofast1

Basic Input/Output System (BIOS) for storage controllers / nodes
Password: emcbios

Basic Input/Output System (BIOS) for XMS
Password: emcbios

 

Then you’ve got the required VSI for VMware web client component.  In the thick client days, yes, you did have to download and execute a file to install the VSI plugin into your thick client, but you know what, it sat on the computer with the thick client, unused until needed.  Now, to get the same features, you need to deploy a virtual machine with an 80 gig disk (if thick provisioned) that will consume two cpu cores and 8 gb of memory just so you can have a plugin in the web client.  I guess this shouldn’t surprise me; it’s from the same company who built the web client in Flash.  However, now, just like with the PowerPath/VE ELMS virtual appliance, I have yet another stupid EMC black box sitting on my network running who knows what, with who knows what random stupid EMC user accounts, accessible to anyone who can reach the machine’s IP, containing who knows what vulnerabilities since the VSI appliance, at the very least, runs two web interfaces, Tomcat, apache, some proprietary app, etc.

Anyway, your two default stupid accounts are:

VSI/WC setup interface on https port 5480: root / emc

VSI/WC integration interface on https port 8443: admin / ChangeMe

Don’t you love those super secure 133t passwords they chose?  At least it wasn’t 123456…

Share Button

10 Replies to “EMC and endless stupid passwords”

    • Your Mom Post author

      Hey Ajay, if you found an answer to that, I’d like to know it too. I was not aware of the presence of a root user on these controllers; are you sure there is one?

      Reply
    • PB

      Reboot the storage controller into single user mode. You can then change the root, and xinstall passwords to whatever you like. Also works on the XMS appliance .

      Reply
  1. Bob

    So you think the passwords are stupid and insecure yet you post them on the internet for all to see…. and you are complaining about security? sounds a bit hypocritical IMO. At least when I ask support they tell me they can’t give them to me.

    Reply
    • Your Mom Post author

      Are you truly that stupid Bob? These are common knowledge, and I posted them so anyone operating EMC hardware can test to see if they are present. You’re probably one of those people who think gun free zones keep the criminals away too.

      Reply
  2. Andrew

    Thank you for the info my friend. Don’t fight the passwords. If someone gets that deep into your environment it’s game over anyways . Safety smafety

    Reply
    • Your Mom Post author

      Oh I know that’s the case, the real issue is that EMC makes it nearly impossible to know all of the accounts they’ve hidden in your systems, let alone change their passwords without something breaking. This causes particular issues for those whose internal networks must undergo penetration testing as part of one of several certifications common in various industries, and even further issues when certain types of certifications require policies and procedures that mandate regular password changes on system level accounts for devices. It makes you look stupid when your P&P manual has various policies that all require a written exception for your EMC hardware.

      Anyway, kudos for being on an IPv6 address! 🙂

      Reply
    • Your Mom Post author

      After the 2.x to 3.x disaster, I have not made the attempt to go from 3.x to 4.x on a live array. Unfortunately I haven’t added a new 4.0 array so I’m not sure if the passwords have changed.

      Reply
  3. Mike

    Many thx – its really stupid that even in the training-materials you get the user for installing the XtremIO but the password is described as “THE” default password which isn’t mentioned anywhere – not even in the Install and Upgrade Guide…

    Such a bullshit since emc rather have those passwords flying around instead of telling those passwords straight away in the Documentation which is only accessible to emc-people/parnters -.-

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *