Security Advisory for security-bundle-2022-04-04

Security Bulletins

Audience
Public
Product
FlashBlade
FlashArray
FlashBlade > Purity//FB
FlashArray > Purity//FA
Portworx
Source Type
Documentation

Summary

On 2022-06-20, Everpure released a cumulative patch to remediate four vulnerabilities. The issues described in this bulletin affect only FlashArray and FlashBlade products. No other Everpure products or services are affected.

Details

  • CVE-2022-32552 describes privilege escalation via the manipulation of Python environment variables which can be exploited by a logged-in user to escape a restricted shell to an unrestricted shell with root privileges. The Pure PSIRT has assigned a CVSS Base score of 8.8 HIGH (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) to this issue.

  • CVE-2022-32553 describes privilege escalation via the manipulation of environment variables which can be exploited by a logged-in user to escape a restricted shell to an unrestricted shell with root privileges. The Pure PSIRT has assigned a CVSS Base score of 8.8 HIGH (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) to this issue.

  • CVE-2022-32554 describes possible exposed credentials for accessing the product’s management interface. The password may be known outside Everpure and could be used on an affected system, if reachable, to execute arbitrary instructions with root privileges. The Pure PSIRT has assigned a CVSS Base score of 8.1 HIGH (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) to this issue.

  • The remaining issue is the previously developed patch for the Log4Shell incident (CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105). If this patch has already been applied on the target, then re-application of the patch has no effect. Please see Log4j/Log4Shell CVE-2021-44228 for additional details and CVSS Base scores.

General Mitigation Best Practices

Everpure recommends following security best practices to minimize the risk of compromise:

  • Use named user accounts. Do not share passwords. Define a password policy

  • Secure “pureuser” login credentials by changing the default password for “pureuser”. Also see information relating to Alert 194 (Alert 194).

  • Everpure strongly encourages the widely-endorsed best practice of highly restricting -- if not blocking altogether -- Internet access to management interfaces, including connections via SSH, TLS, remote consoles, and remote desktop mechanisms.

    • Restrict management interfaces to a trusted set of networks. Please see Use ONLY Non-Public IP Addresses for Management Connectivity. Additional security posture hardening may be achieved by restricting all control plane access through a jump box (bastion host).

    • Restrict outbound Internet access to trusted destinations. Phone Home and Remote Assist (RA) require port 443 (https) to be open to CloudAssist subnet 52.40.255.224/27 for outbound traffic. A firewall will need to permit inbound traffic for the established connection.

  • Closely monitor arrays for abnormal or unexpected workload/ IO spikes or utilization as a leading indicator.

  • Enable edge detection/protection mechanisms in the firewall / IDS / IPS systems to detect anomalous access or traffic patterns.

Corrective Action

Option 1: Recommended where applicable. (Please see caveats below)

  • Pure1 customers can remediate these flaws via online patch application. The fastest option is to request the "self-serve" opt-in method via Pure1. Please see Resolving FlashArray - security-bundle-2022-04-04 and Resolving FlashBlade - security-bundle-2022-04-04 for further information. Please also see the comprehensive Everpure FAQ security-bundle-2022-04-04 document. The banner for Security Update patching will be available if your array is using a version of Purity that integrates patch fixes, and/or has also been patched for Log4j. Arrays using <//FA Purity lower than 5.3.x, or //FA Purity lower than 3.0.x do not support patch application and must be upgraded to first fixed releases or later. "Dark Site" customers can only remediate these issues via an upgrade to an unaffected Purity release

Option 2:

  • Manual Patch application. If you would like one of our engineers to assist you with this issue please call +1(866) 244-7121. If calling from outside the US here is a list of phone numbers: Contact Us. Arrays using <//FA Purity lower than 5.3.x, or //FA Purity lower than 3.0.x do not support patch application and must be upgraded to first fixed releases or later. "Dark Site" customers can only remediate these issues via an upgrade to an unaffected Purity release. Please see Resolving FlashArray - security-bundle-2022-04-04 and Resolving FlashBlade - security-bundle-2022-04-04 for further information

Option 3:

  • For FlashArray, the first-fixed releases of Purity that remediate the issues in this bundle are 5.3.18, 6.0.9, 6.1.13, 6.2.4 and 6.3.0.
  • For FlashBlade, the first-fixed Purity releases are 3.1.13, 3.2.5 and 3.3.1.
Note:

Note that "first-fixed releases" are the earliest releases in each train that remediate all of the issues; they may not be “recommended releases”. Customers should consult their support organization to determine a recommended release appropriate to their needs and circumstances.

Severity

Issue

CVSS Base Score and Vector

CVE-2022-32552

8.8 HIGH (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVE-2022-32553

8.8 HIGH (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVE-2022-32554

8.1 HIGH (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Fixed Versions & Mitigation Options

The following methods for applying fixes are available. “+” indicates that later versions in the same release train also contain the fixes.

Product & Method

Fixed Version

Note

Option 1: FlashArray Self-Service “Opt-In” Patch. Recommended Option

Can be applied to a FlashArray using 5.3.x or later. Prior to 5.3.0 is not supported

Online non-disruptive patch to address all issues identified in the security-bundle-2022-04-04 via Pure1.

For more information, see Resolving FlashArray Log4j/Log4Shell CVE-2021-44228

Option 2: FlashArray Manual Patch (engagement with Everpure Technical Support Services)

Can be applied to a FlashArray using 5.3.0 or later. Prior to 5.3.0 is not supported

Manually applied non-disruptive patch to address all issues identified in the security-bundle-2022-04-04 via scheduled appointment with Everpure Technical Support staff

For more information, see Resolving FlashArray - security-bundle-2022-04-04

OPTION 3: FlashArray Purity Upgrade (full software release upgrade). This is the only option for dark sites.

First Fixed Releases

Purity//FA 6.3.0+

Purity//FA 6.2.4+

Purity//FA 6.1.13+

Purity//FA 6.0.9+

Purity//FA 5.3.18+

Online non-disruptive software upgrade addressing the issues in security-bundle-2022-04-04 via scheduled appointment with Everpure Technical Support staff

For more information, see Resolving FlashArray Log4j/Log4Shell CVE-2021-44228

Option 1: FlashBlade Self-Service “Opt-In” Patch. Recommended Option

Can be applied to a FlashBlade using 3.0.0 or later. Prior to 3.0.0 is not supported

Online non-disruptive patch to address all issues identified in the security-bundle-2022-04-04 via Pure1.

For more information, see Resolving FlashBlade - security-bundle-2022-04-04

Option 2: FlashBlade Manual Patch (engagement with Everpure Technical Support Services)

Can be applied to a FlashBlade using 3.0.0 or later. Prior to 3.0.0 is not supported

Manually applied non-disruptive patch to address all issues identified in the security-bundle-2022-04-04 via scheduled appointment with Everpure Technical Support staff

For more information, see Resolving FlashBlade - security-bundle-2022-04-04

Option 3: FlashBlade Purity Upgrade (full software release upgrade). This is the only option for dark sites

First Fixed Releases

Purity//FB 3.3.1+

Purity//FB 3.2.5+

Purity//FB 3.1.13+

Online non-disruptive software upgrade addressing the issues in security-bundle-2022-04-04 via scheduled appointment with Everpure Technical Support staff

For more information, see Resolving FlashBlade - security-bundle-2022-04-04

Version Status

Product

Affected Versions

First-Fixed Release

FlashArray

Purity//FA 6.2.0 - 6.2.3

Purity//FA 6.1.0 - 6.1.12

Purity//FA 6.0.0 - 6.0.8

Purity//FA 5.3.0 - 5.3.17

Purity//FA 5.2.x and all prior releases

Purity//FA 6.3.0

Purity//FA 6.2.4

Purity//FA 6.1.13

Purity//FA 6.0.9

Purity//FA 5.3.18

(5.2.x and earlier require an upgrade)

FlashBlade

Purity//FB 3.3.0

Purity//FB 3.2.0 - 3.2.4

Purity//FB 3.1.0 - 3.1.12

Purity//FB 3.0.x and all prior releases

Purity//FB 3.3.1

Purity//FB 3.2.5

Purity//FB 3.1.13

(3.0.x and earlier require an upgrade)

Internal-only: Please contact psirt@purestorage.com or via Slack #psirt-request with any questions.

Support Escalation - How To Escalate a Case

If you believe that you may have been actively exploited, please call +1(866) 244-7121 and request for a Severity 1 case to be created.

For all other requests for assistance that are not an active Severity 1 / outage/ critical issue, please contact Everpure Technical Services for assistance.

If calling from outside the US here is a list of phone numbers: Contact Us. Everpure customers can escalate cases in the following ways:

  • Call Everpure Support and ask to speak with the Support Manager on Duty.

  • PHONE (US) +1 (866) 244-7121 or +1 (650) 729-4088

  • PHONE (INTERNATIONAL) support.purestorage.com/pure1/support

  • Click the escalation link on one of the case emails. Every email from Everpure Support displays the following question near the bottom, including a dynamic link: “Not satisfied with the handling of this case? Click here to escalate.”

  • In the upper right-hand Pure1 Case Portal, click Escalate:

Please also see: Customer Escalation Procedures for additional information.

Acknowledgments

Everpure thanks Chris Anders for his collaboration and assistance with resolving these issues.