Skip to main content
Contact Us
Register
Pure Technical Services

Security Bulletin - MOVEit Transfer Vulnerabilities

  1. Last updated
  2. Save as PDF

Currently viewing public documentation. Please login to access the full scope of documentation.

Summary 

May 31, 2023, Progress Software published a security advisory for a critical vulnerability (CVE-2023-34362) in MOVEit Transfer solution. Subsequently on June 9, 2023, Progress Software announced the discovery of another critical vulnerability (CVE-2023-35036) that could lead to unauthorized access to their MOVEit file transfer product and environment.

Furthermore, on June 15, 2023 an additional critical vulnerability related to this issue, CVE-2023-35708, was announced.

Pure Storage DOES NOT use MOVEit transfer solution and there is no impact to Pure's products.   

Corrective ActionEdit section

  • No corrective action is needed for Pure Storage products.  
  • While Pure Storage does not use MOVEit transfer solution and there is no impact to Pure's products, Pure Storage recommends that customers affected by Progress Software MOVEit vulnerabilities follow guidance from CISA.

  • General Network Security Mitigation Best Practices

Pure Storage recommends following network security best practices that minimize the risk of compromise:

  • Restrict management interfaces to a trusted set of networks. Please see Best practices on restricting public IP addresses. Additional security posture hardening may be achieved by restricting all control plane access through a jump box (bastion host).

  • Restrict outbound Internet access to trusted destinations. Phone Home and Remote Assist (RA) require port 443 (https) to be open to CloudAssist subnet 52.40.255.224/27 for outbound traffic. A firewall will need to permit inbound traffic for the established connection. 

  • Pure Storage strongly encourages the widely-endorsed best practice of highly restricting -- if not blocking altogether -- Internet access to management interfaces, including connections via SSH, TLS, remote consoles, and remote desktop mechanisms.

  • Closely monitor arrays for abnormal or unexpected workload/ IO spikes or utilization as a leading indicator.  

  • Enable edge detection/protection mechanisms in the firewall / IDS / IPS systems to detect anomalous access or traffic patterns.

Contacting Support

If you need assistance with this issue please call Technical Services at +1 866-244-7121. If calling from outside the US, please select from the list of phone numbers here:  https://support.purestorage.com/Pure_Storage_Technical_Services/Technical_Services_Information/Contact_Us.