ntp_advisory7.asc: Version 2 Version 2 Issued: Tue Sep 13 08:23:22 CDT 2016 Version 2 Changes: Changed the impacted upper level filesets listed for NTPv4. The new levels should match the prereqs as listed in the iFixes. IBM SECURITY ADVISORY First Issued: Tue Sep 6 09:07:16 CDT 2016 |Updated: Tue Sep 13 08:23:22 CDT 2016 |Update: Changed the impacted upper level filesets listed for NTPv4. The most recent version of this document is available here: http://aix.software.ibm.com/aix/efixes/security/ntp_advisory7.asc https://aix.software.ibm.com/aix/efixes/security/ntp_advisory7.asc ftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory7.asc Security Bulletin: Vulnerabilities in NTP affect AIX CVE-2015-7974 CVE-2016-1550 CVE-2016-1551 CVE-2016-2517 CVE-2016-2518 CVE-2016-2519 CVE-2016-1547 CVE-2016-4957 CVE-2016-4953 CVE-2016-4954 CVE-2016-4955 =============================================================================== SUMMARY: There are multiple vulnerabilities in NTPv3 and NTPv4 that impact AIX. =============================================================================== VULNERABILITY DETAILS: NTPv3 and NTPv4 are vulnerable to: CVEID: CVE-2015-7974 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974 DESCRIPTION: NTP could allow a remote authenticated attacker to conduct spoofing attacks, caused by a missing key check. An attacker could exploit this vulnerability to impersonate a peer. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110019 for more information. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N) CVEID: CVE-2016-1550 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1550 DESCRIPTION: NTP could allow a local attacker to bypass security restrictions, caused by the failure to use a constant-time memory comparison function when validating the authentication digest on incoming packets. By sending a specially crafted packet with an authentication payload, an attacker could exploit this vulnerability to conduct a timing attack to compute the value of the valid authentication digest. CVSS Base Score: 4.0 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112742 for more information. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) CVEID: CVE-2016-1551 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1551 DESCRIPTION: While the majority OSes implement martian packet filtering in their network stack, at least regarding 127.0.0.0/8, a rare few will allow packets claiming to be from 127.0.0.0/8 that arrive over physical network. On these OSes, if ntpd is configured to use a reference clock an attacker can inject packets over the network that look like they are coming from that reference clock. CVSS Base Score: 3.7 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112743 for more information. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) CVEID: CVE-2016-2517 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2517 DESCRIPTION: If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and then send a crafted packet to ntpd that will change the value of the trustedkey, controlkey, or requestkey to a value that will prevent any subsequent authentication with ntpd until ntpd is restarted. CVSS Base Score: 4.2 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112745 for more information. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H) CVEID: CVE-2016-2518 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2518 DESCRIPTION: NTP is vulnerable to a denial of service, caused by an error when using a specially crafted packet to create a peer association with hmode > 7. An attacker could exploit this vulnerability to cause the MATCH_ASSOC() function to trigger an out-of-bounds read. CVSS Base Score: 2.0 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112746 for more information. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L) CVEID: CVE-2016-2519 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2519 DESCRIPTION: NTP is vulnerable to a denial of service, caused by the failure to always check the ctl_getitem() function return value. By sending an overly large value, an attacker could exploit this vulnerability to cause a denial of service. CVSS Base Score: 4.2 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112747 for more information. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H) NTPv4 is additionally vulnerable to: CVEID: CVE-2016-1547 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1547 DESCRIPTION: NTP is vulnerable to a denial of service, caused by the demobilization of a preemptable client association. By sending specially crafted crypto NAK packets, an attacker could exploit this vulnerability to cause a denial of service. CVSS Base Score: 3.7 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112739 for more information. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2016-4957 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4957 DESCRIPTION: NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets, an attacker could exploit this vulnerability to cause ntpd to crash. CVSS Base Score: 7.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113695 for more information. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2016-4953 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4953 DESCRIPTION: NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets to an ephemeral peer target prior to a response being sent, a remote attacker could exploit this vulnerability to demobilize the ephemeral association. CVSS Base Score: 3.7 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113696 for more information. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2016-4954 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4954 DESCRIPTION: NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed server packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause a false leap indication to be set. CVSS Base Score: 3.7 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113697 for more information. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2016-4955 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4955 DESCRIPTION: NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed CRYPTO_NAK or a bad MAC packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause the autokey association to reset. CVSS Base Score: 3.7 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113698 for more information. CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) AFFECTED PRODUCTS AND VERSIONS: AIX 5.3, 6.1, 7.1, 7.2 VIOS 2.2.x The following fileset levels are vulnerable: key_fileset = aix For NTPv3: Fileset Lower Level Upper Level KEY PRODUCT(S) ----------------------------------------------------------------- bos.net.tcp.client 5.3.12.0 5.3.12.10 key_w_fs NTPv3 bos.net.tcp.client 6.1.9.0 6.1.9.102 key_w_fs NTPv3 bos.net.tcp.client 7.1.3.0 7.1.3.47 key_w_fs NTPv3 bos.net.tcp.client 7.1.4.0 7.1.4.1 key_w_fs NTPv3 bos.net.tcp.ntp 7.2.0.0 7.2.0.2 key_w_fs NTPv3 bos.net.tcp.ntpd 7.2.0.0 7.2.0.2 key_w_fs NTPv3 For NTPv4: Fileset Lower Level Upper Level KEY PRODUCT(S) ----------------------------------------------------------------- | ntp.rte 6.1.6.0 6.1.6.7 key_w_fs NTPv4 | ntp.rte 7.1.0.0 7.1.0.7 key_w_fs NTPv4 Note: to find out whether the affected filesets are installed on your systems, refer to the lslpp command found in AIX user's guide. Example: lslpp -L | grep -i ntp.rte REMEDIATION: A. APARS IBM has assigned the following APARs to this problem: For NTPv3: AIX Level APAR Availability SP KEY PRODUCT(S) ------------------------------------------------------------ 5.3.12 IV87614 N/A key_w_apar NTPv3 6.1.9 IV87419 11/11/16 SP8 key_w_apar NTPv3 7.1.3 IV87615 1/27/17 SP8 key_w_apar NTPv3 7.1.4 IV87420 11/11/16 SP3 key_w_apar NTPv3 7.2.0 IV87939 1/27/17 SP3 key_w_apar NTPv3 For NTPv4: AIX Level APAR Availability SP KEY PRODUCT(S) ------------------------------------------------------------ 6.1.9 IV87278 11/11/16 SP8 key_w_apar NTPv4 7.1.3 IV87279 1/27/17 SP8 key_w_apar NTPv4 7.1.4 IV87279 11/11/16 SP3 key_w_apar NTPv4 7.2.0 IV87279 1/27/17 SP3 key_w_apar NTPv4 Subscribe to the APARs here: http://www.ibm.com/support/docview.wss?uid=isg1IV87614 http://www.ibm.com/support/docview.wss?uid=isg1IV87419 http://www.ibm.com/support/docview.wss?uid=isg1IV87615 http://www.ibm.com/support/docview.wss?uid=isg1IV87420 http://www.ibm.com/support/docview.wss?uid=isg1IV87939 http://www.ibm.com/support/docview.wss?uid=isg1IV87278 http://www.ibm.com/support/docview.wss?uid=isg1IV87279 By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available. B. FIXES Fixes are available. The fixes can be downloaded via ftp or http from: ftp://aix.software.ibm.com/aix/efixes/security/ntp_fix7.tar http://aix.software.ibm.com/aix/efixes/security/ntp_fix7.tar https://aix.software.ibm.com/aix/efixes/security/ntp_fix7.tar The link above is to a tar file containing this signed advisory, fix packages, and OpenSSL signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels. For NTPv3: AIX Level Interim Fix (*.Z) KEY PRODUCT(S) ---------------------------------------------------------- 5.3.12.9 IV87614m9a.160901.epkg.Z key_w_fix NTPv3 6.1.9.5 IV87419m5d.160823.epkg.Z key_w_fix NTPv3 6.1.9.6 IV87419m6a.160823.epkg.Z key_w_fix NTPv3 6.1.9.7 IV87419m7a.160901.epkg.Z key_w_fix NTPv3 7.1.3.5 IV87615m5a.160823.epkg.Z key_w_fix NTPv3 7.1.3.6 IV87615m6a.160824.epkg.Z key_w_fix NTPv3 7.1.3.7 IV87615m7a.160901.epkg.Z key_w_fix NTPv3 7.1.4.0 IV87420m0a.160825.epkg.Z key_w_fix NTPv3 7.1.4.1 IV87420m0a.160825.epkg.Z key_w_fix NTPv3 7.1.4.2 IV87420m2a.160901.epkg.Z key_w_fix NTPv3 7.2.0.0 IV87939m0b.160830.epkg.Z key_w_fix NTPv3 7.2.0.1 IV87939m0b.160830.epkg.Z key_w_fix NTPv3 7.2.0.2 IV87939m2a.160901.epkg.Z key_w_fix NTPv3 VIOS Level Interim Fix (*.Z) KEY PRODUCT(S) ----------------------------------------------------------- 2.2.4.0 IV87419m6a.160823.epkg.Z key_w_fix NTPv3 2.2.4.2x IV87419m7a.160901.epkg.Z key_w_fix NTPv3 For NTPv4: AIX Level Interim Fix (*.Z) KEY PRODUCT(S) ---------------------------------------------------------- 6.1.x IV87278s7a.160901.epkg.Z key_w_fix NTPv4 7.1.x IV87279s7a.160901.epkg.Z key_w_fix NTPv4 7.2.x IV87279s7a.160901.epkg.Z key_w_fix NTPv4 VIOS Level Interim Fix (*.Z) KEY PRODUCT(S) ----------------------------------------------------------- 2.2.x IV87278s7a.160901.epkg.Z key_w_fix NTPv4 All fixes included are cumulative and address previously issued AIX NTP security bulletins with respect to SP and TL. To extract the fixes from the tar file: tar xvf ntp_fix7.tar cd ntp_fix7 Verify you have retrieved the fixes intact: The checksums below were generated using the "openssl dgst -sha256 file" command as the followng: openssl dgst -sha256 filename KEY ----------------------------------------------------------------------------------------------------- 42f8a7cc469eb8db7b447b8bf37561ff1ac5b5b98f9ceac9cb5d6c31797a084f IV87278s7a.160901.epkg.Z key_w_csum 74b64a7d219f1bb91e9979191b329e74ebd3ae453f9e6c7b5ba5c1bf483d8795 IV87279s7a.160901.epkg.Z key_w_csum e2569c0033e79fe3b9072c4eb3b3fbb0e577ea78fa2d821aa9cfd9dff0728d01 IV87419m5d.160823.epkg.Z key_w_csum 64446d618397eb759b5aadd3135ec0e54d1f7e7fcfccdb500812fd799f79580f IV87419m6a.160823.epkg.Z key_w_csum 2cfc0ac55e6bc5b0ade14e414004a113c49d63b8d9c0d1f9bb8f836ad402fde5 IV87419m7a.160901.epkg.Z key_w_csum 84f88fe1d81fdab21cbb1bca5c2cd0b9efd088123d5689cff2fc3070882269bb IV87420m0a.160825.epkg.Z key_w_csum 0512a77d83b978e8c0e0e0400f170dedf5ff05544256b9119b3dd8010a80eaca IV87420m2a.160901.epkg.Z key_w_csum 3681bf06ea3454bb988d0520a06aafe4c3a3dc2f0fc0e4d789f7b88cf44e70b1 IV87614m9a.160901.epkg.Z key_w_csum 86789563d0acf449d75f6b35fb8df94cd0af5d61eab05644454756960c13e5e0 IV87615m5a.160823.epkg.Z key_w_csum f18ba3b6ac181feae7dc94b783e69ca22b7e747b60ebce5e24898807c011e92a IV87615m6a.160824.epkg.Z key_w_csum 4163cd0088894bd035d0cc2484c7139363208f815daa603855ff16a49283e704 IV87615m7a.160901.epkg.Z key_w_csum 8f63ff8609fa769c89b0ce5e37a3b2292fdc930f9c4a75b2cb75e4073756f0ff IV87939m0b.160830.epkg.Z key_w_csum b70ff05f8ebb43e26535a2005630903a8b2efe035071a8ef16fe773cadedfcb9 IV87939m2a.160901.epkg.Z key_w_csum These sums should match exactly. The OpenSSL signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes. If the sums or signatures cannot be confirmed, contact IBM AIX Security at security-alert@austin.ibm.com and describe the discrepancy. openssl dgst -sha1 -verify -signature .sig openssl dgst -sha1 -verify -signature .sig Published advisory OpenSSL signature file location: http://aix.software.ibm.com/aix/efixes/security/ntp_advisory7.asc.sig https://aix.software.ibm.com/aix/efixes/security/ntp_advisory7.asc.sig ftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory7.asc.sig C. FIX AND INTERIM FIX INSTALLATION IMPORTANT: If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding. The fix will not take affect until any running xntpd servers have been stopped and restarted with the following commands: stopsrc -s xntpd startsrc -s xntpd To preview a fix installation: installp -a -d fix_name -p all # where fix_name is the name of the # fix package being previewed. To install a fix package: installp -a -d fix_name -X all # where fix_name is the name of the # fix package being installed. After installation the ntp daemon must be restarted: stopsrc -s xntpd startsrc -s xntpd Interim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; however, IBM does fully support them. Interim fix management documentation can be found at: http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html To preview an interim fix installation: emgr -e ipkg_name -p # where ipkg_name is the name of the # interim fix package being previewed. To install an interim fix package: emgr -e ipkg_name -X # where ipkg_name is the name of the # interim fix package being installed. WORKAROUNDS AND MITIGATIONS: None. =============================================================================== CONTACT US: Note: Keywords labeled as KEY in this document are used for parsing purposes. If you would like to receive AIX Security Advisories via email, please visit "My Notifications": http://www.ibm.com/support/mynotifications To view previously issued advisories, please visit: http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To obtain the OpenSSL public key that can be used to verify the signed advisories and ifixes: Download the key from our web page: http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt To obtain the PGP public key that can be used to communicate securely with the AIX Security Team via security-alert@austin.ibm.com you can either: A. Download the key from our web page: http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt B. Download the key from a PGP Public Key Server. The key ID is: 0x28BFAA12 Please contact your local IBM AIX support center for any assistance. REFERENCES: Complete CVSS v3 Guide: http://www.first.org/cvss/user-guide On-line Calculator v3: http://www.first.org/cvss/calculator/3.0 ACKNOWLEDGEMENTS: None CHANGE HISTORY: First Issued: Tue Sep 6 09:07:16 CDT 2016 | Updated: Tue Sep 13 08:23:22 CDT 2016 | Update: Changed the impacted upper level filesets listed for NTPv4. =============================================================================== *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.