Skip to main content
Pure Technical Services

Security Bulletin - Terrapin Vulnerabilities (CVE-2023-48795, CVE-2023-46445 and CVE-2023-46446)

Currently viewing public documentation. Please login to access the full scope of documentation.

author_pureicon.png

Summary 

In December 2023, the following security vulnerabilities were reported in the SSH transport protocol, commonly referred to as ‘Terrapin vulnerabilities’. 

  • CVE-2023-48795: General Protocol Flaw (Score: 5.9 Medium)

  • CVE-2023-46445: Rogue Extension Negotiation Attack in AsyncSSH (Score: 5.9 Medium)

  • CVE-2023-46446: Rogue Session Attack in AsyncSSH (Score: 6.8 Medium)

Pure Storage FlashBlade does not use AsyncSSH, which is required for CVE-2023-46445 and CVE-2023-46446 to be exploited. While FlashBlade leverages an affected version of OpenSSH, it does not enable affected ciphers by default, mitigating the vulnerability CVE-2023-48795.

Pure Storage FlashArray does not use AsyncSSH, which is required for CVE-2023-46445 and CVE-2023-46446 to be exploited. However, FlashArray Purity is susceptible to CVE-2023-48795 as it leverages an affected version of OpenSSH and enables the ChaCha20-Poly1305 cipher by default.

Mitigating Control/Corrective Action 

Product Mitigating Control/Corrective Action
FlashBlade No corrective action is required for FlashBlade.
FlashArray

Pure Storage recommends that customers running FlashArray Purity disable the ChaCha20-Poly1305 cipher in any SSH client that connects to the FlashArray as a mitigating control.

A Purity version that addresses CVE-2023-48795 will be available in the next few weeks. Further updates will be provided to this security bulletin as a fixed Purity becomes available. 

Contacting Support

If you need assistance with this issue please call Technical Services at +1 866-244-7121. If calling from outside the US, please select from the list of phone numbers here:  https://support.purestorage.com/Pure_Storage_Technical_Services/Technical_Services_Information/Contact_Us.