FlashArray, FlashBlade at Risk: Pure Storage Reveals CVSS 10 Vulnerabilities

Pure Storage has released a critical security advisory detailing multiple high-severity vulnerabilities impacting its FlashArray and FlashBlade storage systems. These vulnerabilities, some with a maximum CVSS score of 10, could enable malicious actors to execute arbitrary code, gain unauthorized access, and potentially disrupt critical operations.

Vulnerabilities and Potential Impact:

• CVE-2024-0001 (CVSS 10): Local Configuration Account Vulnerability: An active local configuration account could lead to privilege escalation.
• CVE-2024-0002 (CVSS 10): Remote Access via Privileged Accounts: Privileged accounts could be exploited to gain unauthorized remote access to the array.
• CVE-2024-0003 (CVSS 9.1): Remote Account Creation: Malicious users could create privileged accounts through remote administrative services.
• CVE-2024-0004 (CVSS 9.1): Remote Command Execution: Array administrators could execute arbitrary commands remotely, leading to potential privilege escalation.
• CVE-2024-0005 (CVSS 9.1): SNMP Configuration Exploitation: Crafted SNMP configurations could enable remote command execution.

Affected Versions and Remediation:

A wide range of FlashArray and FlashBlade Purity versions are affected. Pure Storage has swiftly responded to these vulnerabilities by providing patches and updates. The security flaws have been addressed in the following releases:

• FlashArray: Purity//FA versions 6.3.15, 6.5.1, and 6.6.1 or later
• FlashBlade: Purity//FB versions 4.1.12 and 4.3.2 or later

Customers are urged to immediately apply the self-service patch bundle or upgrade to the latest unaffected Purity versions to mitigate the risks posed by these vulnerabilities.

Urgency and Security Implications:

These vulnerabilities pose a significant risk to the confidentiality, integrity, and availability of sensitive data stored on FlashArray and FlashBlade systems. Organizations are strongly encouraged to take immediate action to mitigate these risks.

Related Posts:

• CVE-2024-9014 (CVSS 9.9): pgAdmin’s Critical Vulnerability Puts User Data at Risk
• 30 Exploitable Flaws: Alarming Study on Home Router Defaults
• CISA Warns of Actively Exploited Ivanti vTM Flaw CVE-2024-7593 (CVSS 9.8), PoC Published