A condition exists in FlashArray Purity whereby a local account intended for initial array configuration remains active potentially allowing a malicious actor to gain elevated privileges.
A local account, designed solely for the purposes of initial array configuration, is not deactivated after completion of this process. It remains active in the system, constituting an unintended access vector. An attacker who gains access to this account can exploit it to perform privilege escalation in the system.
An attacker can obtain elevated privileges in the FlashArray Purity system, which may lead to complete takeover of the storage array, and consequently to breach of confidentiality, integrity, and availability of stored data.
Patches available from the vendor should be applied in accordance with the references (https://purestorage.com/security). It is also recommended to verify the status of local accounts on FlashArray systems and deactivate unused configuration accounts.
Pure Storage Purity//FA (FlashArray) products — versions indicated in vendor references
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HPurestorage Purity\/\/fa
APPPurestorage6.3.0 – 6.3.146.4.0 – 6.4.10
Related vulnerabilities
Obejście uwierzytelnienia w Pure Storage FlashArray Purity (CVSS 10.0)
Command injection w Pure Storage Purity poprzez konfigurację SNMP
Zdalne wykonanie kodu z eskalacją uprawnień w Pure Storage FlashArray Purity
Pure Storage FlashArray Purity — nieautoryzowane tworzenie konta z uprawnieniami
Pure Storage FlashArray products running Purity//FA 6.2.0 - 6.2.3, 6.1.0 - 6.1.12, 6.0.0 - 6.0.8, 5.3.0 - 5.3....