Security Advisory for security-bundle-2022-04-04

Last updated
Save as PDF

Product Specific Resources
Summary
Details
General Mitigation Best Practices
Corrective Action
Severity
Fixed Versions & Mitigation Options
Version Status
Support Escalation - How To Escalate a Case
Acknowledgments

Product Specific Resources

Summary

On 2022-06-20, Pure Storage released a cumulative patch to remediate four vulnerabilities. The issues described in this bulletin affect only FlashArray and FlashBlade products. No other Pure Storage products or services are affected.

Details

CVE-2022-32552 describes privilege escalation via the manipulation of Python environment variables which can be exploited by a logged-in user to escape a restricted shell to an unrestricted shell with root privileges. The Pure PSIRT has assigned a CVSS Base score of 8.8 HIGH (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) to this issue.
CVE-2022-32553 describes privilege escalation via the manipulation of environment variables which can be exploited by a logged-in user to escape a restricted shell to an unrestricted shell with root privileges. The Pure PSIRT has assigned a CVSS Base score of 8.8 HIGH (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) to this issue.
CVE-2022-32554 describes possible exposed credentials for accessing the product’s management interface. The password may be known outside Pure Storage and could be used on an affected system, if reachable, to execute arbitrary instructions with root privileges. The Pure PSIRT has assigned a CVSS Base score of 8.1 HIGH (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) to this issue.
The remaining issue is the previously developed patch for the Log4Shell incident (CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105). If this patch has already been applied on the target, then re-application of the patch has no effect. Please see Pure's pre-existing security advisory for additional details and CVSS Base scores.

General Mitigation Best Practices

Pure Storage recommends following security best practices to minimize the risk of compromise:

Use named user accounts. Do not share passwords. Define a password policy
Secure “pureuser” login credentials by changing the default password for “pureuser”. Also see information relating to Alert 194 (default password for “pureuser” remains unchanged).
Pure Storage strongly encourages the widely-endorsed best practice of highly restricting -- if not blocking altogether -- Internet access to management interfaces, including connections via SSH, TLS, remote consoles, and remote desktop mechanisms.
- Restrict management interfaces to a trusted set of networks. Please see Best practices on restricting public IP addresses. Additional security posture hardening may be achieved by restricting all control plane access through a jump box (bastion host).
- Restrict outbound Internet access to trusted destinations. Phone Home and Remote Assist (RA) require port 443 (https) to be open to CloudAssist subnet 52.40.255.224/27 for outbound traffic. A firewall will need to permit inbound traffic for the established connection.
Closely monitor arrays for abnormal or unexpected workload/ IO spikes or utilization as a leading indicator.
Enable edge detection/protection mechanisms in the firewall / IDS / IPS systems to detect anomalous access or traffic patterns.

Corrective Action

Option 1: Recommended where applicable. (Please see caveats below)

Pure1 customers can remediate these flaws via online patch application. The fastest option is to request the "self-serve" opt-in method via Pure1. Please see FlashArray Security Update and FlashBlade Security Update for further information. Please also see the comprehensive FAQ document. The banner for Security Update patching will be available if your array is using a version of Purity that integrates patch fixes, and/or has also been patched for Log4j. Arrays using <//FA Purity lower than 5.3.x, or //FA Purity lower than 3.0.x do not support patch application and must be upgraded to first fixed releases or later. "Dark Site" customers can only remediate these issues via an upgrade to an unaffected Purity release

Option 2:

Manual Patch application. If you would like one of our engineers to assist you with this issue please call +1(866) 244-7121. If calling from outside the US here is a list of phone numbers: https://support.purestorage.com/Pure1/Support. Arrays using <//FA Purity lower than 5.3.x, or //FA Purity lower than 3.0.x do not support patch application and must be upgraded to first fixed releases or later. "Dark Site" customers can only remediate these issues via an upgrade to an unaffected Purity release. Please see FlashArray Security Update and FlashBlade Security Update for further information

Option 3:

For FlashArray, the first-fixed releases of Purity that remediate the issues in this bundle are 5.3.18, 6.0.9, 6.1.13, 6.2.4 and 6.3.0.
For FlashBlade, the first-fixed Purity releases are 3.1.13, 3.2.5 and 3.3.1.

Note that "first-fixed releases" are the earliest releases in each train that remediate all of the issues; they may not be “recommended releases”. Customers should consult their support organization to determine a recommended release appropriate to their needs and circumstances.

Severity

Issue	CVSS Base Score and Vector
CVE-2022-32552	8.8 HIGH (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVE-2022-32553	8.8 HIGH (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVE-2022-32554	8.1 HIGH (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Fixed Versions & Mitigation Options

The following methods for applying fixes are available. “+” indicates that later versions in the same release train also contain the fixes.

Product & Method	Fixed Version	Notes
Option 1: FlashArray Self-Service “Opt-In” Patch. Recommended Option	Can be applied to a FlashArray using 5.3.x or later. Prior to 5.3.0 is not supported	Online non-disruptive patch to address all issues identified in the security-bundle-2022-04-04 via Pure1. For more information, see FlashArray security-bundle-2022-04-04
Option 2: FlashArray Manual Patch (engagement with Pure Storage Technical Support Services)	Can be applied to a FlashArray using 5.3.0 or later. Prior to 5.3.0 is not supported	Manually applied non-disruptive patch to address all issues identified in the security-bundle-2022-04-04 via scheduled appointment with Pure Storage Technical Support staff For more information, see FlashArray security-bundle-2022-04-04
OPTION 3: FlashArray Purity Upgrade (full software release upgrade). This is the only option for dark sites.	First Fixed Releases Purity//FA 6.3.0+ Purity//FA 6.2.4+ Purity//FA 6.1.13+ Purity//FA 6.0.9+ Purity//FA 5.3.18+	Online non-disruptive software upgrade addressing the issues in security-bundle-2022-04-04 via scheduled appointment with Pure Storage Technical Support staff For more information, see FlashArray security-bundle-2022-04-04
Option 1: FlashBlade Self-Service “Opt-In” Patch. Recommended Option	Can be applied to a FlashBlade using 3.0.0 or later. Prior to 3.0.0 is not supported	Online non-disruptive patch to address all issues identified in the security-bundle-2022-04-04 via Pure1. For more information, see FlashBlade security-bundle-2022-04-04
Option 2: FlashBlade Manual Patch (engagement with Pure Storage Technical Support Services)	Can be applied to a FlashBlade using 3.0.0 or later. Prior to 3.0.0 is not supported	Manually applied non-disruptive patch to address all issues identified in the security-bundle-2022-04-04 via scheduled appointment with Pure Storage Technical Support staff For more information, see FlashBlade security-bundle-2022-04-04
Option 3: FlashBlade Purity Upgrade (full software release upgrade). This is the only option for dark sites	First Fixed Releases Purity//FB 3.3.1+ Purity//FB 3.2.5+ Purity//FB 3.1.13+	Online non-disruptive software upgrade addressing the issues in security-bundle-2022-04-04 via scheduled appointment with Pure Storage Technical Support staff For more information, see FlashBlade security-bundle-2022-04-04

Version Status

Product	Affected Versions	First-Fixed Release
FlashArray	Purity//FA 6.2.0 - 6.2.3 Purity//FA 6.1.0 - 6.1.12 Purity//FA 6.0.0 - 6.0.8 Purity//FA 5.3.0 - 5.3.17 Purity//FA 5.2.x and all prior releases	Purity//FA 6.3.0 Purity//FA 6.2.4 Purity//FA 6.1.13 Purity//FA 6.0.9 Purity//FA 5.3.18 (5.2.x and earlier require an upgrade)
FlashBlade	Purity//FB 3.3.0 Purity//FB 3.2.0 - 3.2.4 Purity//FB 3.1.0 - 3.1.12 Purity//FB 3.0.x and all prior releases	Purity//FB 3.3.1 Purity//FB 3.2.5 Purity//FB 3.1.13 (3.0.x and earlier require an upgrade)

Support Escalation - How To Escalate a Case

If you believe that you may have been actively exploited, please call +1(866) 244-7121 and request for a Severity 1 case to be created.

For all other requests for assistance that are not an active Severity 1 / outage/ critical issue, please contact Pure Storage Technical Services for assistance.

If calling from outside the US here is a list of phone numbers: https://support.purestorage.com/Pure1/Support. Pure Storage customers can escalate cases in the following ways:

Call Pure Storage Support and ask to speak with the Support Manager on Duty.
PHONE (US) +1 (866) 244-7121 or +1 (650) 729-4088
PHONE (INTERNATIONAL) support.purestorage.com/pure1/support
Click the escalation link on one of the case emails. Every email from Pure Storage Support displays the following question near the bottom, including a dynamic link: “Not satisfied with the handling of this case? Click here to escalate.”
In the upper right-hand Pure1 Case Portal, click Escalate:

Please also see: Customer Escalation Procedures for additional information.

Acknowledgments

Pure Storage thanks Chris Anders for his collaboration and assistance with resolving these issues.