In December 2023, the following security vulnerabilities were reported in the SSH transport protocol, commonly referred to as ‘Terrapin vulnerabilities’.
CVE-2023-48795: General Protocol Flaw (Score: 5.9 Medium)
CVE-2023-46445: Rogue Extension Negotiation Attack in AsyncSSH (Score: 5.9 Medium)
CVE-2023-46446: Rogue Session Attack in AsyncSSH (Score: 6.8 Medium)
Pure Storage FlashBlade does not use AsyncSSH, which is required for CVE-2023-46445 and CVE-2023-46446 to be exploited. While FlashBlade leverages an affected version of OpenSSH, it does not enable affected ciphers by default, mitigating the vulnerability CVE-2023-48795.
Pure Storage FlashArray does not use AsyncSSH, which is required for CVE-2023-46445 and CVE-2023-46446 to be exploited. However, FlashArray Purity is susceptible to CVE-2023-48795 as it leverages an affected version of OpenSSH and enables the ChaCha20-Poly1305 cipher by default.
Mitigating Control/Corrective Action
|Mitigating Control/Corrective Action
|No corrective action is required for FlashBlade.
Pure Storage recommends that customers running FlashArray Purity disable the ChaCha20-Poly1305 cipher in any SSH client that connects to the FlashArray as a mitigating control.
A Purity version that addresses CVE-2023-48795 will be available in the next few weeks. Further updates will be provided to this security bulletin as a fixed Purity becomes available.
If you need assistance with this issue please call Technical Services at +1 866-244-7121. If calling from outside the US, please select from the list of phone numbers here: https://support.purestorage.com/Pure_Storage_Technical_Services/Technical_Services_Information/Contact_Us.