CVE-2023-36628
📋 TL;DR
This vulnerability allows users with VMware admin access on a FlashArray to escalate privileges to root through VASA. It affects VMware vSphere/ESXi environments integrated with Pure Storage FlashArray systems. Attackers with existing admin access can gain full system control.
💻 Affected Systems
- Pure Storage FlashArray with VASA Provider
📦 What is this software?
Purity\/\/fa by Purestorage
Purity\/\/fa by Purestorage
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the FlashArray system, allowing attackers to access, modify, or delete all storage data, disrupt operations, and potentially pivot to connected systems.
Likely Case
Privileged VMware administrators exploiting the flaw to gain root access on FlashArray for unauthorized data access or configuration changes.
If Mitigated
Limited impact if strict access controls, network segmentation, and monitoring are in place to detect privilege escalation attempts.
🎯 Exploit Status
Exploitation requires existing VMware admin credentials. The vulnerability is in the privilege escalation mechanism, making it straightforward for authenticated attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: VASA Provider 6.2.4 or later
Restart Required: Yes
Instructions:
1. Download VASA Provider 6.2.4+ from Pure Storage support portal. 2. Deploy the new VASA Provider OVA to vSphere. 3. Register the new provider with vCenter. 4. Remove the old VASA Provider. 5. Verify integration functionality.
🔧 Temporary Workarounds
Restrict VMware Admin Access
allLimit VMware administrator accounts that have access to FlashArray management interfaces.
Network Segmentation
allIsolate FlashArray management interfaces from general VMware admin networks.
🧯 If You Can't Patch
- Implement strict access controls and least privilege for VMware admin accounts
- Enable detailed logging and monitoring of FlashArray management activities
🔍 How to Verify
Check if Vulnerable:
Check VASA Provider version in vCenter under Storage Providers or via Pure Storage FlashArray management interface.Check Version:
Connect to FlashArray GUI or CLI and check VASA Provider version, or check in vCenter Storage Providers section.Verify Fix Applied:
Confirm VASA Provider version is 6.2.4 or later and test that VMware admin users cannot escalate to root on FlashArray.📡 Detection & Monitoring
Log Indicators:
- Unusual privilege escalation attempts in FlashArray logs
- Root access from VMware admin accounts
- Unauthorized configuration changes
Network Indicators:
- Unexpected management traffic between VMware and FlashArray
- Authentication anomalies
SIEM Query:
source="flasharray" AND (event="privilege_escalation" OR user="root" AND source_user="vmware_admin")🔗 References
- https://support.purestorage.com/Pure_Storage_Technical_Services/Field_Bulletins/Security_Bulletins/Security_Bulletin_for_Privilege_Escalation_in_VASA_CVE-2023-36628
- https://support.purestorage.com/Pure_Storage_Technical_Services/Field_Bulletins/Security_Bulletins/Security_Bulletin_for_Privilege_Escalation_in_VASA_CVE-2023-36628
