ntp_advisory6.asc: Version 6 Version 6 Issued: Tue Aug 16 11:41:45 CDT 2016 Version 6 Changes: Fix added for AIX 7.2.0.2 and is now included in the tar file, ntp_fix6.tar. AIX 7.2.0.2 iFix for NTPv3: IV83995s2b.160713.epkg.Z IBM SECURITY ADVISORY First Issued: Wed Jun 8 13:17:48 CDT 2016 |Updated: Tue Aug 16 11:41:45 CDT 2016 |Update: Added iFix for AIX 7.2.0.2. The most recent version of this document is available here: http://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc https://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc ftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc Security Bulletin: Vulnerabilities in NTP affect AIX CVE-2015-7973 CVE-2015-7977 CVE-2015-7979 CVE-2015-8158 CVE-2015-8139 CVE-2015-8140 =============================================================================== SUMMARY: There are multiple vulnerabilities in NTP that impact AIX. =============================================================================== VULNERABILITY DETAILS: CVEID: CVE-2015-7973 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 DESCRIPTION: NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using authenticated broadcast mode packets to conduct a replay attack and gain unauthorized access to the system. CVSS Base Score: 5.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110018 for more information. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L) CVEID: CVE-2015-7977 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977 DESCRIPTION: NTP is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially crafted ntpdc reslist command, an attacker could exploit this vulnerability to cause a segmentation fault. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110022 for more information. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2015-7979 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979 DESCRIPTION: NTP could allow a remote attacker to bypass security restrictions. By sending specially crafted broadcast packets with bad authentication, an attacker could exploit this vulnerability to cause the target broadcast client to tear down the association with the broadcast server. CVSS Base Score: 6.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110024 for more information. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L) CVEID: CVE-2015-8139 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8139 DESCRIPTION: NTP could allow a remote attacker to obtain sensitive information, caused by an origin leak in ntpq and ntpdc. An attacker could exploit this vulnerability to obtain sensitive information. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110027 for more information. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2015-8140 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8140 DESCRIPTION: NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using ntpq to conduct a replay attack and gain unauthorized access to the system. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110028 for more information. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) CVEID: CVE-2015-8158 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158 DESCRIPTION: NTP is vulnerable to a denial of service, caused by the improper processing of incoming packets by ntpq. By sending specially crafted data, an attacker could exploit this vulnerability to cause the application to enter into an infinite loop. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110026 for more information. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) AFFECTED PRODUCTS AND VERSIONS: AIX 5.3, 6.1, 7.1, 7.2 VIOS 2.2.x The following fileset levels are vulnerable: key_fileset = aix For NTPv3: Fileset Lower Level Upper Level KEY PRODUCT(S) ----------------------------------------------------------------- bos.net.tcp.client 5.3.12.0 5.3.12.10 key_w_fs NTPv3 bos.net.tcp.client 6.1.9.0 6.1.9.102 key_w_fs NTPv3 bos.net.tcp.client 7.1.3.0 7.1.3.47 key_w_fs NTPv3 bos.net.tcp.client 7.1.4.0 7.1.4.1 key_w_fs NTPv3 bos.net.tcp.ntp 7.2.0.0 7.2.0.2 key_w_fs NTPv3 bos.net.tcp.ntpd 7.2.0.0 7.2.0.2 key_w_fs NTPv3 For NTPv4: Fileset Lower Level Upper Level KEY PRODUCT(S) ----------------------------------------------------------------- ntp.rte 6.1.6.0 6.1.6.5 key_w_fs NTPv4 ntp.rte 7.1.0.0 7.1.0.5 key_w_fs NTPv4 Note: to find out whether the affected filesets are installed on your systems, refer to the lslpp command found in AIX user's guide. Example: lslpp -L | grep -i ntp.rte REMEDIATION: A. APARS IBM has assigned the following APARs to this problem: For NTPv3: AIX Level APAR Availability SP KEY PRODUCT(S) ------------------------------------------------------------ 5.3.12 IV84269 N/A key_w_apar NTPv3 6.1.9 IV83984 10/21/16 SP8 key_w_apar NTPv3 7.1.3 IV83993 1/27/17 SP8 key_w_apar NTPv3 7.1.4 IV83994 10/21/16 SP3 key_w_apar NTPv3 7.2.0 IV83995 1/27/17 SP3 key_w_apar NTPv3 For NTPv4: AIX Level APAR Availability SP KEY PRODUCT(S) ------------------------------------------------------------ 6.1.9 IV83992 10/21/16 SP8 key_w_apar NTPv4 7.1.3 IV83983 1/27/17 SP8 key_w_apar NTPv4 7.1.4 IV83983 10/21/16 SP3 key_w_apar NTPv4 7.2.0 IV83983 1/27/17 SP3 key_w_apar NTPv4 Subscribe to the APARs here: http://www.ibm.com/support/docview.wss?uid=isg1IV83983 http://www.ibm.com/support/docview.wss?uid=isg1IV83984 http://www.ibm.com/support/docview.wss?uid=isg1IV83992 http://www.ibm.com/support/docview.wss?uid=isg1IV83993 http://www.ibm.com/support/docview.wss?uid=isg1IV83994 http://www.ibm.com/support/docview.wss?uid=isg1IV83995 http://www.ibm.com/support/docview.wss?uid=isg1IV84269 By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available. B. FIXES Fixes are available. The fixes can be downloaded via ftp or http from: ftp://aix.software.ibm.com/aix/efixes/security/ntp_fix6.tar http://aix.software.ibm.com/aix/efixes/security/ntp_fix6.tar https://aix.software.ibm.com/aix/efixes/security/ntp_fix6.tar The link above is to a tar file containing this signed advisory, fix packages, and OpenSSL signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels. For NTPv3: AIX Level Interim Fix (*.Z) KEY PRODUCT(S) ---------------------------------------------------------- 5.3.12.9 IV84269m9a.160522.epkg.Z key_w_fix NTPv3 6.1.9.4 IV83984m4a.160506.epkg.Z key_w_fix NTPv3 6.1.9.5 IV83984m5a.160510.epkg.Z key_w_fix NTPv3 6.1.9.6 IV83984m6a.160504.epkg.Z key_w_fix NTPv3 6.1.9.7 IV83984s7a.160622.epkg.Z key_w_fix NTPv3 7.1.3.4 IV83993m4b.160510.epkg.Z key_w_fix NTPv3 7.1.3.5 IV83993m5a.160510.epkg.Z key_w_fix NTPv3 7.1.3.6 IV83993m6a.160505.epkg.Z key_w_fix NTPv3 7.1.3.7 IV83993s7a.160714.epkg.Z key_w_fix NTPv3 7.1.4.0 IV83994m1a.160505.epkg.Z key_w_fix NTPv3 7.1.4.1 IV83994m1a.160505.epkg.Z key_w_fix NTPv3 7.1.4.2 IV83994s2a.160620.epkg.Z key_w_fix NTPv3 7.2.0.0 IV83995m0a.160510.epkg.Z key_w_fix NTPv3 7.2.0.1 IV83995m1a.160601.epkg.Z key_w_fix NTPv3 | 7.2.0.2 IV83995s2b.160713.epkg.Z key_w_fix NTPv3 VIOS Level Interim Fix (*.Z) KEY PRODUCT(S) ----------------------------------------------------------- 2.2.4.0 IV83984m6a.160504.epkg.Z key_w_fix NTPv3 2.2.4.2x IV83984s7a.160622.epkg.Z key_w_fix NTPv3 For NTPv4: AIX Level Interim Fix (*.Z) KEY PRODUCT(S) ---------------------------------------------------------- 6.1.x IV83992s5a.160602.epkg.Z key_w_fix NTPv4 7.1.x IV83983s5a.160602.epkg.Z key_w_fix NTPv4 7.2.x IV83983s5a.160602.epkg.Z key_w_fix NTPv4 VIOS Level Interim Fix (*.Z) KEY PRODUCT(S) ----------------------------------------------------------- 2.2.x IV83992s5a.160602.epkg.Z key_w_fix NTPv4 All fixes included are cumulative and address previously issued AIX NTP security bulletins with respect to SP and TL. To extract the fixes from the tar file: tar xvf ntp_fix6.tar cd ntp_fix6 Verify you have retrieved the fixes intact: The checksums below were generated using the "openssl dgst -sha256 file" command as the followng: openssl dgst -sha256 filename KEY ----------------------------------------------------------------------------------------------------- 1dde048eab83d5519a8331f2db377a010f6adccb24665eaebabf2d8fb55decda IV83983s5a.160602.epkg.Z key_w_csum afbe3f7603602dc81f7a55dd68f7e00f6d6c90672cc91dca6d647a5e9455f470 IV83984m4a.160506.epkg.Z key_w_csum 1df47de2dc201ac958da849a126b68f9c58c88ec4bd11ab0874465f25ba92878 IV83984m5a.160510.epkg.Z key_w_csum 7b26d3a1e5e420e2c93febbd87f73806cdef506793abe7508d189ef6ee2596a7 IV83984m6a.160504.epkg.Z key_w_csum 14ec9d1beab7335c197662ad57e112b17c25f2ffc13bb9b9767416b5dda9251b IV83984s7a.160622.epkg.Z key_w_csum 657a259c37c99aa990933f1ecd7719fcb07c7852acd3236bc33f932c45ad5bee IV83992s5a.160602.epkg.Z key_w_csum cb890c4c7d3a0ab09fe10da469721737d2a4cbd3baa4da5214e68ce467a6b1b0 IV83993m4b.160510.epkg.Z key_w_csum 3b78ac22352ec959be91a561f23b13912f7fbda00974d818c5a66bc332e85abc IV83993m5a.160510.epkg.Z key_w_csum 0c73bb6b7da724d29400c4398fb98bc3cfb45a88e9744879fcde6c421108bee6 IV83993m6a.160505.epkg.Z key_w_csum 86998a1cb16cc5d5f941fe737709cd210754d85449a4cb280662026f6ef5bf09 IV83993s7a.160714.epkg.Z key_w_csum c3abfb2272f6a6793f2ef9c4d5e8a54cf5d60c20d49b65414a9c5d2d28b9c964 IV83994m1a.160505.epkg.Z key_w_csum 540fcf0df555219d88619bac9e7de276010d26fad5957d5bac8decd19798bd93 IV83994s2a.160620.epkg.Z key_w_csum 7b214849e3d46c41498eef287497e7576f89fe274ca4305a6b3e5eb7e2be63dd IV83995m0a.160510.epkg.Z key_w_csum 97c9b857e023d89fdfc22730938ea4127c7efce25628d76abdc86337f64f7a03 IV83995m1a.160601.epkg.Z key_w_csum | ef7f0f4a205af86be406ed7b1258080f8e916e5e6fbc86a8b7cdd927f670cd29 IV83995s2b.160713.epkg.Z key_w_csum 732f0254ace2786f5e7ddadef10e1e64cc381ecf5d6ebb9131b64115f87e8d52 IV84269m9a.160522.epkg.Z key_w_csum These sums should match exactly. The OpenSSL signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes. If the sums or signatures cannot be confirmed, contact IBM AIX Security at security-alert@austin.ibm.com and describe the discrepancy. openssl dgst -sha1 -verify -signature .sig openssl dgst -sha1 -verify -signature .sig Published advisory OpenSSL signature file location: http://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc.sig https://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc.sig ftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc.sig C. FIX AND INTERIM FIX INSTALLATION IMPORTANT: If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding. The fix will not take affect until any running xntpd servers have been stopped and restarted with the following commands: stopsrc -s xntpd startsrc -s xntpd To preview a fix installation: installp -a -d fix_name -p all # where fix_name is the name of the # fix package being previewed. To install a fix package: installp -a -d fix_name -X all # where fix_name is the name of the # fix package being installed. After installation the ntp daemon must be restarted: stopsrc -s xntpd startsrc -s xntpd Interim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; however, IBM does fully support them. Interim fix management documentation can be found at: http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html To preview an interim fix installation: emgr -e ipkg_name -p # where ipkg_name is the name of the # interim fix package being previewed. To install an interim fix package: emgr -e ipkg_name -X # where ipkg_name is the name of the # interim fix package being installed. WORKAROUNDS AND MITIGATIONS: For CVE-2015-8139 and CVE-2015-8140: Monitor your ntpd instances. If this sort of attack is an active problem for you, you have deeper problems to investigate. Also consider having smaller NTP broadcast domains. If you must enable mode 7: configure the use of a requestkey to control who can issue mode 7 requests. configure restrict noquery to further limit mode 7 requests to trusted sources. Don't use broadcast mode if you cannot monitor your client servers. =============================================================================== CONTACT US: Note: Keywords labeled as KEY in this document are used for parsing purposes. If you would like to receive AIX Security Advisories via email, please visit "My Notifications": http://www.ibm.com/support/mynotifications To view previously issued advisories, please visit: http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To obtain the OpenSSL public key that can be used to verify the signed advisories and ifixes: Download the key from our web page: http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt To obtain the PGP public key that can be used to communicate securely with the AIX Security Team via security-alert@austin.ibm.com you can either: A. Download the key from our web page: http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt B. Download the key from a PGP Public Key Server. The key ID is: 0x28BFAA12 Please contact your local IBM AIX support center for any assistance. REFERENCES: Complete CVSS v3 Guide: http://www.first.org/cvss/user-guide On-line Calculator v3: http://www.first.org/cvss/calculator/3.0 ACKNOWLEDGEMENTS: None CHANGE HISTORY: First Issued: Wed Jun 8 13:17:48 CDT 2016 Updated: Thu Jun 9 11:04:06 CDT 2016 Update: CVE-2015-8139 and CVE-2015-8140 added with clarified Workarounds and Mitigations section. Updated: Mon Jun 20 10:45:48 CDT 2016 Update: Added iFix for AIX 7.1.4.2. Updated: Wed Jun 22 10:25:29 CDT 2016 Update: Added iFix for AIX 6.1.9.7 and VIOS 2.2.4.20. Updated: Tue Jul 19 11:47:37 CDT 2016 Update: Added iFix for AIX 7.1.3.7. | Updated: Tue Aug 16 11:41:45 CDT 2016 | Update: Added iFix for AIX 7.2.0.2. =============================================================================== *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.