Skip to main content
Pure Technical Services

Security Bulletin for //FB with Native SMB or Kerberos-Based NFS fails to Authenticate with Active Directory After MS Kerberos Patch is Applied

Currently viewing public documentation. Please login to access the full scope of documentation.

Summary 

Pure Storage is aware that a recent Kerberos vulnerability patch released by Microsoft (KB5019966 (OS Build 17763.3650), CVE-2022-37966), when applied to an Active Directory server, causes Pure Storage FlashBlade with Native SMB or Kerberos-based NFS to fail to authenticate with Active Directory to get a Kerberos ticket.  

Details 

  • CVE-2022-37966 - Microsoft Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability, released Nov 8, 2022.

    • CVSS Base score 8.1 / Temporal score 7.1 (as provided by Microsoft).

    • Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment of the targeted component. An attacker who successfully exploited this vulnerability could gain administrator privileges. An unauthenticated attacker could conduct an attack that could leverage cryptographic protocol vulnerabilities in RFC 4757 (Kerberos encryption type RC4-HMAC-MD5) and MS-PAC (Privilege Attribute Certificate Data Structure specification) to bypass security features in a Windows AD environment. For more information please see How to manage the Kerberos Protocol changes related to CVE-2022-37966.

Updated Nov 19 2022.  Please see Microsoft's updated guidance posted 18-Nov-2022 - Sign in failures and other issues related to Kerberos authentication which details mitigation steps.

General Mitigation Best Practices 

Pure Storage recommends following network security best practices that minimize the risk of compromise due to these vulnerabilities:

  • Restrict management interfaces to a trusted set of networks. Please see Best practices on restricting public IP addresses. Additional security posture hardening may be achieved by restricting all control plane access through a jump box (bastion host).

  • Restrict outbound Internet access to trusted destinations. Phone Home and Remote Assist (RA) require port 443 (https) to be open to CloudAssist subnet 52.40.255.224/27 for outbound traffic. A firewall will need to permit inbound traffic for the established connection. 

  • Pure Storage strongly encourages the widely-endorsed best practice of highly restricting -- if not blocking altogether -- Internet access to management interfaces, including connections via SSH, TLS, remote consoles, and remote desktop mechanisms.

  • Closely monitor arrays for abnormal or unexpected workload/IO spikes or utilization as a leading indicator.  

  • Enable edge detection/protection mechanisms in the firewall/IDS/IPS systems to detect anomalous access or traffic patterns.

Contacting Support 

If you would like one of our engineers to assist you with this issue please call +1(866) 244-7121. If calling from outside the US here is a list of phone numbers: https://support.purestorage.com/Pure1/Support.

[Back to Top]