CVE-2024-0001 - Vulnerability Details - OpenCVE

A condition exists in FlashArray Purity whereby a local account intended for initial array configuration remains active potentially allowing a malicious actor to gain elevated privileges.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Purestorage	Flasharray Purity\/\/fa

Configuration 1 [-]

OR	cpe:2.3:a:purestorage:purity\/\/fa::::::::
	cpe:2.3:a:purestorage:purity\/\/fa::::::::

No data.

References

Link	Providers
https://purestorage.com/security

History

Fri, 27 Sep 2024 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Purestorage purity\/\/fa
CPEs		cpe:2.3:a:purestorage:purity\/\/fa::::::::
Vendors & Products		Purestorage purity\/\/fa

Mon, 23 Sep 2024 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Purestorage Purestorage flasharray
CPEs		cpe:2.3:a:purestorage:flasharray:6.3.0:::::::* cpe:2.3:a:purestorage:flasharray:6.4.0:::::::*
Vendors & Products		Purestorage Purestorage flasharray
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 23 Sep 2024 17:45:00 +0000

Type	Values Removed	Values Added
Description		A condition exists in FlashArray Purity whereby a local account intended for initial array configuration remains active potentially allowing a malicious actor to gain elevated privileges.
Weaknesses		CWE-1188
References		https://purestorage.com/security
Metrics		cvssV3_1 `{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: PureStorage

Published: 2024-09-23T17:25:00.509Z

Updated: 2024-09-23T17:57:24.819Z

Reserved: 2023-11-01T17:08:46.055Z

Link: CVE-2024-0001

Vulnrichment

Updated: 2024-09-23T17:57:18.359Z

NVD

Status : Analyzed

Published: 2024-09-23T18:15:04.070

Modified: 2024-09-27T14:08:57.327

Link: CVE-2024-0001

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-0001", "assignerOrgId": "3895c224-4e1d-482a-adb3-fa64795683ac", "state": "PUBLISHED", "assignerShortName": "PureStorage", "dateReserved": "2023-11-01T17:08:46.055Z", "datePublished": "2024-09-23T17:25:00.509Z", "dateUpdated": "2024-09-23T17:57:24.819Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Purity"], "product": "FlashArray", "vendor": "Pure Storage", "versions": [{"lessThanOrEqual": "6.3.14", "status": "affected", "version": "6.3.0", "versionType": "custom"}, {"lessThanOrEqual": "6.4.10", "status": "affected", "version": "6.4.0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">A condition exists in FlashArray Purity whereby a local account intended for initial array configuration remains active potentially allowing a malicious actor to gain elevated privileges.</span><br>"}], "value": "A condition exists in FlashArray Purity whereby a local account intended for initial array configuration remains active potentially allowing a malicious actor to gain elevated privileges."}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1188", "description": "CWE-1188 Insecure Default Initialization of Resource", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "3895c224-4e1d-482a-adb3-fa64795683ac", "shortName": "PureStorage", "dateUpdated": "2024-09-23T17:34:40.076Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://purestorage.com/security"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Affected customers will need to apply a self-service patch bundle or upgrade their Purity to an unaffected Purity version.\n<br>\n<br>This issue is resolved in the following<span style=\"background-color: rgb(255, 255, 255);\"> FlashArray Purity </span> releases:\n<br><ul><li><span style=\"background-color: rgb(255, 255, 255);\">Purity//FA versions 6.3.15 or later </span></li><li><span style=\"background-color: rgb(255, 255, 255);\">Purity//FA versions 6.5.1 or later </span></li><li><span style=\"background-color: rgb(255, 255, 255);\">Purity//FA versions 6.6.1 or later. </span></li></ul></span>"}], "value": "Affected customers will need to apply a self-service patch bundle or upgrade their Purity to an unaffected Purity version.\n\n\n\nThis issue is resolved in the following\u00a0FlashArray Purity releases:\n\n * Purity//FA versions 6.3.15 or later\u00a0\n * Purity//FA versions 6.5.1 or later\u00a0\n * Purity//FA versions 6.6.1 or later."}], "source": {"discovery": "INTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "purestorage", "product": "flasharray", "cpes": ["cpe:2.3:a:purestorage:flasharray:6.3.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "6.3.0", "status": "affected", "lessThanOrEqual": "6.3.14", "versionType": "custom"}]}, {"vendor": "purestorage", "product": "flasharray", "cpes": ["cpe:2.3:a:purestorage:flasharray:6.4.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "6.4.0", "status": "affected", "lessThanOrEqual": "6.4.10", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-23T17:51:47.992533Z", "id": "CVE-2024-0001", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-23T17:57:24.819Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-0001", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-23T17:51:47.992533Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:purestorage:flasharray:6.3.0:*:*:*:*:*:*:*"], "vendor": "purestorage", "product": "flasharray", "versions": [{"status": "affected", "version": "6.3.0", "versionType": "custom", "lessThanOrEqual": "6.3.14"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:purestorage:flasharray:6.4.0:*:*:*:*:*:*:*"], "vendor": "purestorage", "product": "flasharray", "versions": [{"status": "affected", "version": "6.4.0", "versionType": "custom", "lessThanOrEqual": "6.4.10"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-23T17:57:18.359Z"}}], "cna": {"source": {"discovery": "INTERNAL"}, "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Pure Storage", "product": "FlashArray", "versions": [{"status": "affected", "version": "6.3.0", "versionType": "custom", "lessThanOrEqual": "6.3.14"}, {"status": "affected", "version": "6.4.0", "versionType": "custom", "lessThanOrEqual": "6.4.10"}], "platforms": ["Purity"], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Affected customers will need to apply a self-service patch bundle or upgrade their Purity to an unaffected Purity version.\n\n\n\nThis issue is resolved in the following\u00a0FlashArray Purity releases:\n\n * Purity//FA versions 6.3.15 or later\u00a0\n * Purity//FA versions 6.5.1 or later\u00a0\n * Purity//FA versions 6.6.1 or later.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Affected customers will need to apply a self-service patch bundle or upgrade their Purity to an unaffected Purity version.\n<br>\n<br>This issue is resolved in the following<span style=\"background-color: rgb(255, 255, 255);\"> FlashArray Purity </span> releases:\n<br><ul><li><span style=\"background-color: rgb(255, 255, 255);\">Purity//FA versions 6.3.15 or later </span></li><li><span style=\"background-color: rgb(255, 255, 255);\">Purity//FA versions 6.5.1 or later </span></li><li><span style=\"background-color: rgb(255, 255, 255);\">Purity//FA versions 6.6.1 or later. </span></li></ul></span>", "base64": false}]}], "references": [{"url": "https://purestorage.com/security", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A condition exists in FlashArray Purity whereby a local account intended for initial array configuration remains active potentially allowing a malicious actor to gain elevated privileges.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">A condition exists in FlashArray Purity whereby a local account intended for initial array configuration remains active potentially allowing a malicious actor to gain elevated privileges.</span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1188", "description": "CWE-1188 Insecure Default Initialization of Resource"}]}], "providerMetadata": {"orgId": "3895c224-4e1d-482a-adb3-fa64795683ac", "shortName": "PureStorage", "dateUpdated": "2024-09-23T17:34:40.076Z"}}}, "cveMetadata": {"cveId": "CVE-2024-0001", "state": "PUBLISHED", "dateUpdated": "2024-09-23T17:57:24.819Z", "dateReserved": "2023-11-01T17:08:46.055Z", "assignerOrgId": "3895c224-4e1d-482a-adb3-fa64795683ac", "datePublished": "2024-09-23T17:25:00.509Z", "assignerShortName": "PureStorage"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:purestorage:purity\\/\\/fa:*:*:*:*:*:*:*:*", "matchCriteriaId": "A81E5420-C4D6-42CD-93EB-0B0BCB01F918", "versionEndIncluding": "6.3.14", "versionStartIncluding": "6.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:purestorage:purity\\/\\/fa:*:*:*:*:*:*:*:*", "matchCriteriaId": "07C73EC4-5F8C-422B-971F-0C8445E72145", "versionEndIncluding": "6.4.10", "versionStartIncluding": "6.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A condition exists in FlashArray Purity whereby a local account intended for initial array configuration remains active potentially allowing a malicious actor to gain elevated privileges."}, {"lang": "es", "value": "Existe una condici\u00f3n en FlashArray Purity por la cual una cuenta local destinada a la configuraci\u00f3n inicial de la matriz permanece activa, lo que potencialmente permite que un actor malintencionado obtenga privilegios elevados."}], "id": "CVE-2024-0001", "lastModified": "2024-09-27T14:08:57.327", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "psirt@purestorage.com", "type": "Secondary"}]}, "published": "2024-09-23T18:15:04.070", "references": [{"source": "psirt@purestorage.com", "tags": ["Vendor Advisory"], "url": "https://purestorage.com/security"}], "sourceIdentifier": "psirt@purestorage.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1188"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-1188"}], "source": "psirt@purestorage.com", "type": "Secondary"}]}