nettcp_advisory2.asc: Version 4 Version 4 Issued: Thu Oct 20 10:56:28 CDT 2016 Version 4 Changes: New iFixes provided for AIX 5.3.12.9, 6.1.9.5, 6.1.9.6, 7.1.3.5, and 7.1.3.6. For security reasons, it is highly recommended to install these new iFixes. Bulletin scope increased to include ftp/ftpd and ndpd-host/ndpd-router. IBM SECURITY ADVISORY First Issued: Tue Jul 26 13:50:13 CDT 2016 |Updated: Thu Oct 20 10:56:28 CDT 2016 |Update: New iFixes provided for AIX 5.3.12.9, 6.1.9.5, 6.1.9.6, | 7.1.3.5, and 7.1.3.6. Scope increased to include ftp/ftpd and | ndpd-host/ndpd-router. The most recent version of this document is available here: http://aix.software.ibm.com/aix/efixes/security/nettcp_advisory2.asc https://aix.software.ibm.com/aix/efixes/security/nettcp_advisory2.asc ftp://aix.software.ibm.com/aix/efixes/security/nettcp_advisory2.asc Security Bulletin: Vulnerabilities in MD5 Signature and Hash Algorithm and | TLS 1.2 affects sendmail, imap, pop3d, ftp/ftpd, and ndpd-host/ndpd-router | on AIX (CVE-2015-7575 and CVE-2016-0266) =============================================================================== SUMMARY: | TLS 1.2 is not the default communication for sendmail, imap, pop3d, | ftp/ftdp, and ndpd-host/ndpd-router, and TLS 1.2 is impacted by the MD5 | Sloth vulnerability. =============================================================================== VULNERABILITY DETAILS: CVEID: CVE-2015-7575 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575 DESCRIPTION: The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle techniques to impersonate a TLS server and obtain credentials. CVSS Base Score: 7.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109415 for more information. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N) CVEID: CVE-2016-0266 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0266 DESCRIPTION: IBM AIX does not require the newest version of TLS by default which could allow a remote attacker to obtain sensitive information using man in the middle techniques. CVSS Base Score: 3.7 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110911 for more information. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) AFFECTED PRODUCTS AND VERSIONS: AIX 5.3, 6.1, 7.1, 7.2 VIOS 2.2.x The following fileset levels are vulnerable: key_fileset = aix Fileset Lower Level Upper Level KEY --------------------------------------------------------- bos.net.tcp.client 5.3.12.0 5.3.12.10 key_w_fs bos.net.tcp.server 5.3.12.0 5.3.12.6 key_w_fs bos.net.tcp.client 6.1.9.0 6.1.9.102 key_w_fs bos.net.tcp.server 6.1.9.0 6.1.9.101 key_w_fs bos.net.tcp.client 7.1.3.0 7.1.3.47 key_w_fs bos.net.tcp.server 7.1.3.0 7.1.3.47 key_w_fs bos.net.tcp.client 7.1.4.0 7.1.4.1 key_w_fs bos.net.tcp.server 7.1.4.0 7.1.4.1 key_w_fs bos.net.tcp.imapd 7.2.0.0 7.2.0.0 key_w_fs bos.net.tcp.pop3d 7.2.0.0 7.2.0.0 key_w_fs bos.net.tcp.sendmail 7.2.0.0 7.2.0.0 key_w_fs Note: to find out whether the affected filesets are installed on your systems, refer to the lslpp command found in AIX user's guide. Example: lslpp -L | grep -i bos.net.tcp.client REMEDIATION: A. APARS IBM has assigned the following APARs to this problem: AIX Level APAR Availability SP KEY ------------------------------------------------ 5.3.12 IV86120 N/A N/A key_w_apar 6.1.9 IV86116 10/21/16 SP8 key_w_apar 7.1.3 IV86117 1/27/17 SP8 key_w_apar 7.1.4 IV86118 10/21/16 SP3 key_w_apar 7.2.0 IV86119 1/27/17 SP3 key_w_apar 7.2.0 IV86132 1/27/17 SP3 key_w_apar Subscribe to the APARs here: http://www.ibm.com/support/docview.wss?uid=isg1IV86120 http://www.ibm.com/support/docview.wss?uid=isg1IV86116 http://www.ibm.com/support/docview.wss?uid=isg1IV86117 http://www.ibm.com/support/docview.wss?uid=isg1IV86118 http://www.ibm.com/support/docview.wss?uid=isg1IV86119 http://www.ibm.com/support/docview.wss?uid=isg1IV86132 By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available. B. FIXES Fixes are available. The fixes can be downloaded via ftp or http from: ftp://aix.software.ibm.com/aix/efixes/security/nettcp_fix2.tar http://aix.software.ibm.com/aix/efixes/security/nettcp_fix2.tar https://aix.software.ibm.com/aix/efixes/security/nettcp_fix2.tar The link above is to a tar file containing this signed advisory, fix packages, and OpenSSL signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels. NOTE: for 7.2.0, two fixes are listed. Both fixes need to be installed to remediate both CVE-2015-7575 and CVE-2016-0266. | NOTE: for AIX 5.3.12.9, 6.1.9.5, 6.1.9.6, 7.1.3.5, and 7.1.3.6, | the iFixes have been separated by application. Please check the | subsequent tables. AIX Level Interim Fix (*.Z) KEY ---------------------------------------------- 6.1.9.7 IV86116m7a.160701.epkg.Z key_w_fix 7.1.3.7 IV86117m7a.160725.epkg.Z key_w_fix 7.1.4.x IV86118m2a.160701.epkg.Z key_w_fix 7.2.0.x IV86119s0a.160701.epkg.Z key_w_fix 7.2.0.x IV86132s0a.160701.epkg.Z key_w_fix VIOS Level Interim Fix (*.Z) KEY ----------------------------------------------- 2.2.4.2x IV86116m7a.160701.epkg.Z key_w_fix The above fixes are cumulative and address previously issued AIX sendmail, imap, and pop3d security bulletins with respect to SP and TL. | For AIX 5.3.12, 6.1.9.5, 6.1.9.6, 7.1.3.5, and 7.1.3.6: | BIND: | AIX Level Interim Fix (*.Z) KEY PRODUCT(S) | ---------------------------------------------------------- | 5.3.12.9 IV88957m9a.160910.epkg.Z key_w_fix BIND | 6.1.9.5 IV79071m5a.160901.epkg.Z key_w_fix BIND | 6.1.9.6 IV79071m6a.161017.epkg.Z key_w_fix BIND | 7.1.3.5 IV82331m5a.160830.epkg.Z key_w_fix BIND | 7.1.3.6 IV82331m6a.160901.epkg.Z key_w_fix BIND | ftp/ftpd: | AIX Level Interim Fix (*.Z) KEY PRODUCT(S) | ---------------------------------------------------------- | 6.1.9.5 IV78624m5a.160830.epkg.Z key_w_fix ftp/ftpd | 7.1.3.5 IV82327m5a.160830.epkg.Z key_w_fix ftp/ftpd | 7.1.3.6 IV82327s6a.160901.epkg.Z key_w_fix ftp/ftpd | NOTE: ftp/fptd on AIX 5.3.12.9 and 6.1.9.6 are not impacted. | imapd/pop3d: | AIX Level Interim Fix (*.Z) KEY PRODUCT(S) | ---------------------------------------------------------- | 5.3.12.9 IV88959m9a.160915.epkg.Z key_w_fix imapd/pop3d | 6.1.9.5 IV79070m5a.160901.epkg.Z key_w_fix imapd/pop3d | 6.1.9.6 IV79070m6a.160902.epkg.Z key_w_fix imapd/pop3d | 7.1.3.5 IV82330m5a.160831.epkg.Z key_w_fix imapd/pop3d | 7.1.3.6 IV82330m6a.160831.epkg.Z key_w_fix imapd/pop3d | ndpd-host/ndpd-router | AIX Level Interim Fix (*.Z) KEY PRODUCT(S) | ---------------------------------------------------------- | 6.1.9.5 IV79072s5a.160830.epkg.Z key_w_fix ndpd-host/ndpd-router | 6.1.9.6 IV79072s6a.160902.epkg.Z key_w_fix ndpd-host/ndpd-router | 7.1.3.5 IV82412s5a.160829.epkg.Z key_w_fix ndpd-host/ndpd-router | 7.1.3.6 IV82412s6a.160901.epkg.Z key_w_fix ndpd-host/ndpd-router | NOTE: ndpd-host/ndpd-router on AIX 5.3.12.9 is not impacted. | sendmail: | AIX Level Interim Fix (*.Z) KEY PRODUCT(S) | ---------------------------------------------------------- | 5.3.12.9 IV88960m9a.160913.epkg.Z key_w_fix sendmail | 6.1.9.5 IV78625m5a.160901.epkg.Z key_w_fix sendmail | 6.1.9.6 IV86116s6a.160812.epkg.Z key_w_fix sendmail | 7.1.3.5 IV82328m5a.160830.epkg.Z key_w_fix sendmail | 7.1.3.6 IV82328m6a.160901.epkg.Z key_w_fix sendmail | NOTE: sendmail on AIX 6.1.9.6 is not impacted by CVE-2016-0266 | but does require a fix for CVE-2015-7575. To extract the fixes from the tar file: tar xvf nettcp_fix2.tar cd nettcp_fix2 Verify you have retrieved the fixes intact: The checksums below were generated using the "openssl dgst -sha256 file" command as the following: openssl dgst -sha256 filename KEY ----------------------------------------------------------------------------------------------------- 19be8bf993b80dced370485fa37f7cc0980e2e4dcb3497464a314369663fb500 IV86116m7a.160701.epkg.Z key_w_csum 58e43a9088d29617bb625507cad0ac9c0037d19ee9d135475846592933c9b9e0 IV86117m7a.160725.epkg.Z key_w_csum 0fe05276879a6307d729ebf33110b98a40100d572d0b7ca2c2a58e41ce8de4e3 IV86118m2a.160701.epkg.Z key_w_csum 14c10c55f68c73e99e62e8e5fcd565b982b73930f9e678253da42ffd720b2f99 IV86119s0a.160701.epkg.Z key_w_csum ff18bd41e58da820ce5333cdb8fa935c48c6a6f83e5a79be6dbcfc4ad2743691 IV86132s0a.160701.epkg.Z key_w_csum | 73faebb99210c2107f04504a21bb97847de77ff9d51eaf61f4e4aa1da9c5b9c9 IV79071m5a.160901.epkg.Z key_w_csum | 6fa7e6eea5e67782eb4bdfa6c23f4a4e2f852b1f0ffc465b3757a6377114cd00 IV79071m6a.161017.epkg.Z key_w_csum | 8fc455651e6f2042036bf5c7965128c157c7d8c8d2a3088fa68a72d553dbb304 IV82331m5a.160830.epkg.Z key_w_csum | 874ebdcb6c68872239bb4f3e9f9de4a65865b1664bbfc221f2dd43a34d7b4ecf IV82331m6a.160901.epkg.Z key_w_csum | f9ab17151047a24550777431d14516b78e564df1e2cdd485b284c2427ab453f2 IV88957m9a.160910.epkg.Z key_w_csum | bd7e051c33238a81d801aaf8618df66bf82675a963b531184dfdd794f139f3c8 IV78624m5a.160830.epkg.Z key_w_csum | 5971f59fdb32ae2f5aa204f3fdd4498e1eccd0203790b6fb33e95a54c493954d IV82327m5a.160830.epkg.Z key_w_csum | 540f0da075ed2443538cdb4e5c6cd1385a03f6f867183a554852051946f91ee6 IV82327s6a.160901.epkg.Z key_w_csum | c0df29486c037a1ce2a4a55342f0b989e66e3d89ad9ce7bc2b12d8354682d18d IV79070m5a.160901.epkg.Z key_w_csum | 9ed31810ee3ab4cbdc4b92d4b9198602b78bd7cd2d326701140b177fab7800d6 IV79070m6a.160902.epkg.Z key_w_csum | a335226603ad6f65a54e1d444b58d846dd83fb1a7f1b86f0c4a40ca130bf7b23 IV82330m5a.160831.epkg.Z key_w_csum | 3ffbcb4cf2761d62f54ca804c2aca7be7bdb3d2165920f8df1846959732e7948 IV82330m6a.160831.epkg.Z key_w_csum | f0aa49945aaaf6baca39a9ad172755065da2ab9e03487153ad308e29428de5eb IV88959m9a.160915.epkg.Z key_w_csum | 3f5fbf506225091755f8b2286f24be51e4c61c89f648c69fcbd331772948e2f0 IV79072s5a.160830.epkg.Z key_w_csum | dd3abf459c791cf7c39e45d06dfa68efa2770c30e38f64388c029cfbc4a55834 IV79072s6a.160902.epkg.Z key_w_csum | d8bf82ffa304af2fbf6cfcfb8d38b7f24472b8a6824229786d9621179c4fb7b3 IV82412s5a.160829.epkg.Z key_w_csum | dc7acd163d96bbdf7f8c627d89c49841c3c922939c5c2163be6abb9d3d79db8b IV82412s6a.160901.epkg.Z key_w_csum | 1a844faadf0bbc320e9d07cabe88ce47947f470938bf24ac38906ff2e841b4ad IV78625m5a.160901.epkg.Z key_w_csum | e0add136d22460839189a3b36dfd2f2ba9c94f57ccc5e00d32e1388de0843a32 IV86116s6a.160812.epkg.Z key_w_csum | 46c472ee150dcb91992b2453d5827d5586e565f853c5d07b241796b0bad69240 IV82328m5a.160830.epkg.Z key_w_csum | c141299520481a2aa7a017cbdd99b361ea8861127942f75b67a8379f80890145 IV82328m6a.160901.epkg.Z key_w_csum | 3c59b5a7ee362809302eb1a8154842a7f5373bc2df63b99a147f79e4448faceb IV88960m9a.160913.epkg.Z key_w_csum These sums should match exactly. The OpenSSL signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes. If the sums or signatures cannot be confirmed, contact IBM AIX Security at security-alert@austin.ibm.com and describe the discrepancy. openssl dgst -sha1 -verify -signature .sig openssl dgst -sha1 -verify -signature .sig Published advisory OpenSSL signature file location: http://aix.software.ibm.com/aix/efixes/security/nettcp_advisory2.asc.sig https://aix.software.ibm.com/aix/efixes/security/nettcp_advisory2.asc.sig ftp://aix.software.ibm.com/aix/efixes/security/nettcp_advisory2.asc.sig C. FIX AND INTERIM FIX INSTALLATION IMPORTANT: If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding. To preview a fix installation: installp -a -d fix_name -p all # where fix_name is the name of the # fix package being previewed. To install a fix package: installp -a -d fix_name -X all # where fix_name is the name of the # fix package being installed. Interim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; however, IBM does fully support them. Interim fix management documentation can be found at: http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html To preview an interim fix installation: emgr -e ipkg_name -p # where ipkg_name is the name of the # interim fix package being previewed. To install an interim fix package: emgr -e ipkg_name -X # where ipkg_name is the name of the # interim fix package being installed. WORKAROUNDS AND MITIGATIONS: None. =============================================================================== CONTACT US: Note: Keywords labeled as KEY in this document are used for parsing purposes. If you would like to receive AIX Security Advisories via email, please visit "My Notifications": http://www.ibm.com/support/mynotifications To view previously issued advisories, please visit: http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To obtain the OpenSSL public key that can be used to verify the signed advisories and ifixes: Download the key from our web page: http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt To obtain the PGP public key that can be used to communicate securely with the AIX Security Team via security-alert@austin.ibm.com you can either: A. Download the key from our web page: http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt B. Download the key from a PGP Public Key Server. The key ID is: 0x28BFAA12 Please contact your local IBM AIX support center for any assistance. REFERENCES: Complete CVSS v3 Guide: http://www.first.org/cvss/user-guide On-line Calculator v3: http://www.first.org/cvss/calculator/3.0 ACKNOWLEDGEMENTS: None CHANGE HISTORY: First Issued: Tue Jul 26 13:50:13 CDT 2016 Updated: Thu Aug 4 12:27:57 CDT 2016 Update: Clarified that the fixes provided for AIX 7.1.4 and 7.2.0 are compatible across previous SPs for the respective TL. Updated: Tue Aug 9 09:31:01 CDT 2016 Update: Additional iFixes provided for AIX 6.1.9.5, 6.1.9.6, 7.1.3.5, and 7.1.3.6. | Updated: Thu Oct 20 10:56:28 CDT 2016 | Update: New iFixes provided for AIX 5.3.12.9, 6.1.9.5, 6.1.9.6, | 7.1.3.5, and 7.1.3.6. Scope increased to include ftp/ftpd and | ndpd-host/ndpd-router. =============================================================================== *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.