IBM SECURITY ADVISORY First Issued: Thu Jul 6 14:53:51 CDT 2017 |Updated: Mon Nov 13 14:32:25 CST 2017 |Update 3: Clarified that AIX 7100-04-05, 7200-00-05, and 7200-01-03 are | impacted. An additional iFix is provided for AIX 7100-04-05. The | iFixes already provided for 7200-00 and 7200-01 cover 7200-00-05 | and 7200-01-03. The most recent version of this document is available here: http://aix.software.ibm.com/aix/efixes/security/ntp_advisory9.asc https://aix.software.ibm.com/aix/efixes/security/ntp_advisory9.asc ftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory9.asc Security Bulletin: Vulnerabilities in NTP affect AIX CVE-2017-6451 CVE-2017-6458 CVE-2017-6462 CVE-2017-6464 =============================================================================== SUMMARY: There are multiple vulnerabilities in NTPv3 and NTPv4 that impact AIX. =============================================================================== I.VULNERABILITY DETAILS: NTPv4 is vulnerable to: CVEID: CVE-2017-6458 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6458 DESCRIPTION: NTP is vulnerable to a denial of service, caused by multiple buffer overflows in the ctl_put() functions. By sending an overly long string argument, a remote authenticated attacker could exploit this vulnerability to overflow a buffer and cause the application to crash. CVSS Base Score: 4.2 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123616 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H) CVEID: CVE-2017-6462 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6462 DESCRIPTION: NTP is vulnerable to a denial of service, caused by a buffer overflow in the legacy Datum Programmable Time Server refclock driver. By sending specially crafted packets, a local authenticated attacker could exploit this vulnerability to overflow a buffer and cause a denial of service. CVSS Base Score: 1.6 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123611 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L) CVEID: CVE-2017-6464 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6464 DESCRIPTION: NTP is vulnerable to a denial of service. A remote authenticated attacker could exploit this vulnerability using a malformed mode configuration directive to cause the application to crash. CVSS Base Score: 4.2 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123610 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H) NTPv3 is vulnerable to: CVEID: CVE-2017-6451 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6451 DESCRIPTION: NTP could allow a local attacker to bypass security restrictions, caused by an out-of-bounds memory write when handling the return value of snprintf()/vsnprintf() functions. An attacker could exploit this vulnerability to overwrite a saved instruction pointer on the stack and gain control over the execution flow. CVSS Base Score: 1.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123617 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N) CVEID: CVE-2017-6458 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6458 DESCRIPTION: NTP is vulnerable to a denial of service, caused by multiple buffer overflows in the ctl_put() functions. By sending an overly long string argument, a remote authenticated attacker could exploit this vulnerability to overflow a buffer and cause the application to crash. CVSS Base Score: 4.2 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123616 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H) CVEID: CVE-2017-6462 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6462 DESCRIPTION: NTP is vulnerable to a denial of service, caused by a buffer overflow in the legacy Datum Programmable Time Server refclock driver. By sending specially crafted packets, a local authenticated attacker could exploit this vulnerability to overflow a buffer and cause a denial of service. CVSS Base Score: 1.6 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123611 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L) CVEID: CVE-2017-6464 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6464 DESCRIPTION: NTP is vulnerable to a denial of service. A remote authenticated attacker could exploit this vulnerability using a malformed mode configuration directive to cause the application to crash. CVSS Base Score: 4.2 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123610 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H) II. AFFECTED PRODUCTS AND VERSIONS: AIX 5.3, 6.1, 7.1, 7.2 VIOS 2.2 The following fileset levels are vulnerable: key_fileset = aix For NTPv3: Fileset Lower Level Upper Level KEY PRODUCT(S) ------------------------------------------------------------------ bos.net.tcp.client 5.3.12.0 5.3.12.10 key_w_fs NTPv3 bos.net.tcp.client 6.1.9.0 6.1.9.201 key_w_fs NTPv3 bos.net.tcp.client 7.1.3.0 7.1.3.49 key_w_fs NTPv3 bos.net.tcp.client 7.1.4.0 7.1.4.32 key_w_fs NTPv3 bos.net.tcp.ntp 7.2.0.0 7.2.0.2 key_w_fs NTPv3 bos.net.tcp.ntp 7.2.1.0 7.2.1.0 key_w_fs NTPv3 bos.net.tcp.ntpd 7.2.0.0 7.2.0.3 key_w_fs NTPv3 bos.net.tcp.ntpd 7.2.1.0 7.2.1.1 key_w_fs NTPv3 For NTPv4: Fileset Lower Level Upper Level KEY PRODUCT(S) ----------------------------------------------------------------- ntp.rte 6.1.6.0 6.1.6.9 key_w_fs NTPv4 ntp.rte 7.1.0.0 7.1.0.9 key_w_fs NTPv4 Note: To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in AIX user's guide. Example: lslpp -L | grep -i ntp.rte III. REMEDIATION: A. FIXES Fixes are available. The fixes can be downloaded via ftp or http from: ftp://aix.software.ibm.com/aix/efixes/security/ntp_fix9.tar http://aix.software.ibm.com/aix/efixes/security/ntp_fix9.tar https://aix.software.ibm.com/aix/efixes/security/ntp_fix9.tar The links above are to a tar file containing this signed advisory, interim fixes, and OpenSSL signatures for each interim fix. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels. For NTPv3: AIX Level Interim Fix (*.Z) KEY PRODUCT(S) ---------------------------------------------------------- 5.3.12.9 IV96305m9a.170518.epkg.Z key_w_fix NTPv3 6.1.9.7 IV96306m9a.170519.epkg.Z key_w_fix NTPv3 6.1.9.8 IV96306m9a.170519.epkg.Z key_w_fix NTPv3 6.1.9.9 IV96306m9a.170519.epkg.Z key_w_fix NTPv3 7.1.3.7 IV96307m9a.170518.epkg.Z key_w_fix NTPv3 7.1.3.8 IV96307m9a.170518.epkg.Z key_w_fix NTPv3 7.1.3.9 IV96307m9a.170518.epkg.Z key_w_fix NTPv3 7.1.4.2 IV96308m4a.170518.epkg.Z key_w_fix NTPv3 7.1.4.3 IV96308m4a.170518.epkg.Z key_w_fix NTPv3 7.1.4.4 IV96308m4a.170518.epkg.Z key_w_fix NTPv3 | 7.1.4.5 IV96308m4b.171107.epkg.Z key_w_fix NTPv3 7.2.0.2 IV96309m4a.170518.epkg.Z key_w_fix NTPv3 7.2.0.3 IV96309m4a.170518.epkg.Z key_w_fix NTPv3 7.2.0.4 IV96309m4a.170518.epkg.Z key_w_fix NTPv3 7.2.0.5 IV96309m4a.170518.epkg.Z key_w_fix NTPv3 7.2.1.0 IV96310m2a.170519.epkg.Z key_w_fix NTPv3 7.2.1.1 IV96310m2a.170519.epkg.Z key_w_fix NTPv3 7.2.1.2 IV96310m2a.170519.epkg.Z key_w_fix NTPv3 7.2.1.3 IV96310m2a.170519.epkg.Z key_w_fix NTPv3 VIOS Level Interim Fix (*.Z) KEY PRODUCT(S) ----------------------------------------------------------- 2.2.4.2x IV96306m9a.170519.epkg.Z key_w_fix NTPv3 For NTPv4: AIX Level Interim Fix (*.Z) KEY PRODUCT(S) ---------------------------------------------------------- 6.1.9.7 IV96311m5a.170518.epkg.Z key_w_fix NTPv4 6.1.9.8 IV96311m5a.170518.epkg.Z key_w_fix NTPv4 6.1.9.9 IV96311m5a.170518.epkg.Z key_w_fix NTPv4 7.1.3.7 IV96312m5a.170518.epkg.Z key_w_fix NTPv4 7.1.3.8 IV96312m5a.170518.epkg.Z key_w_fix NTPv4 7.1.3.9 IV96312m5a.170518.epkg.Z key_w_fix NTPv4 7.1.4.2 IV96312m5a.170518.epkg.Z key_w_fix NTPv4 7.1.4.3 IV96312m5a.170518.epkg.Z key_w_fix NTPv4 7.1.4.4 IV96312m5a.170518.epkg.Z key_w_fix NTPv4 7.2.0.2 IV96312m5a.170518.epkg.Z key_w_fix NTPv4 7.2.0.3 IV96312m5a.170518.epkg.Z key_w_fix NTPv4 7.2.0.4 IV96312m5a.170518.epkg.Z key_w_fix NTPv4 7.2.1.0 IV96312m5a.170518.epkg.Z key_w_fix NTPv4 7.2.1.1 IV96312m5a.170518.epkg.Z key_w_fix NTPv4 7.2.1.2 IV96312m5a.170518.epkg.Z key_w_fix NTPv4 All fixes included are cumulative and address previously issued AIX NTP security bulletins with respect to SP and TL. To extract the fixes from the tar file: tar xvf ntp_fix9.tar cd ntp_fix9 Verify you have retrieved the fixes intact: The checksums below were generated using the "openssl dgst -sha256 " command as the following: openssl dgst -sha256 filename KEY ----------------------------------------------------------------------------------------------------- 5fc5ac58dcc41f427bdd29da28cce00b5e90a0adf8f773592a21593bb7c0b72e IV96305m9a.170518.epkg.Z key_w_csum ed9469eea0622397eb9260fb8d0575562459a47c848d5a37a604f104833e9262 IV96306m9a.170519.epkg.Z key_w_csum 5ac9f3971dd2b090fe794b2e033230374c22d017ce8d93e8db91fa82ca820b69 IV96307m9a.170518.epkg.Z key_w_csum 770ceae338b4bdf6b3367abfc82c6c2d2fb0972c141434c434a60d5e230ca25a IV96308m4a.170518.epkg.Z key_w_csum | 2e9d5da20c67d8e7f47abc72c822fbc0dceff0ea0452a4002ab20f5478da1ece IV96308m4b.171107.epkg.Z key_w_csum 521c64dee9c966ad7f5347cd2983139045115a2ad48a8a8d1901c5e917f2e367 IV96309m4a.170518.epkg.Z key_w_csum 40cf7ffbf4476c8998164203f631fca4d1af12fe3494eb66e05217eaff6b3464 IV96310m2a.170519.epkg.Z key_w_csum 0cf956028c6d25ef1de3a40b1b42544e35e2208913b332f05980932a4ff1c3c7 IV96311m5a.170518.epkg.Z key_w_csum 9c7d969d0a9127217d15781b2a596f41023b41db7d91f3cf4c6ad2e5d9e088c8 IV96312m5a.170518.epkg.Z key_w_csum These sums should match exactly. The OpenSSL signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes. If the sums or signatures cannot be confirmed, contact IBM AIX Security at security-alert@austin.ibm.com and describe the discrepancy. openssl dgst -sha1 -verify -signature .sig openssl dgst -sha1 -verify -signature .sig Published advisory OpenSSL signature file location: http://aix.software.ibm.com/aix/efixes/security/ntp_advisory9.asc.sig https://aix.software.ibm.com/aix/efixes/security/ntp_advisory9.asc.sig ftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory9.asc.sig B. FIX AND INTERIM FIX INSTALLATION IMPORTANT: If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding. The fix will not take affect until any running xntpd servers have been stopped and restarted with the following commands: stopsrc -s xntpd startsrc -s xntpd To preview a fix installation: installp -a -d fix_name -p all # where fix_name is the name of the # fix package being previewed. To install a fix package: installp -a -d fix_name -X all # where fix_name is the name of the # fix package being installed. After installation the ntp daemon must be restarted: stopsrc -s xntpd startsrc -s xntpd Interim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; however, IBM does fully support them. Interim fix management documentation can be found at: http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html To preview an interim fix installation: emgr -e ipkg_name -p # where ipkg_name is the name of the # interim fix package being previewed. To install an interim fix package: emgr -e ipkg_name -X # where ipkg_name is the name of the # interim fix package being installed. C. APARS IBM has assigned the following APARs to this problem: For NTPv3: AIX Level APAR Availability SP KEY PRODUCT(S) ------------------------------------------------------------ 5.3.12 IV96305 ** N/A key_w_apar NTPv3 6.1.9 IV96306 ** SP10 key_w_apar NTPv3 7.1.3 IV96307 ** N/A key_w_apar NTPv3 7.1.4 IV96308 ** SP6 key_w_apar NTPv3 7.2.0 IV96309 ** SP6 key_w_apar NTPv3 7.2.1 IV96310 ** SP4 key_w_apar NTPv3 For NTPv4: AIX Level APAR Availability SP KEY PRODUCT(S) ------------------------------------------------------------ 6.1.9 IV96311 ** SP10 key_w_apar NTPv4 7.1.3 IV96312 ** N/A key_w_apar NTPv4 7.1.4 IV96312 ** SP5 key_w_apar NTPv4 7.2.0 IV96312 ** SP5 key_w_apar NTPv4 7.2.1 IV96312 ** SP3 key_w_apar NTPv4 ** Please refer to AIX support lifecycle information page for of Service Packs Support: http://www-01.ibm.com/support/docview.wss?uid=isg3T1012517 Subscribe to the APARs here: https://www.ibm.com/support/docview.wss?uid=isg1IV96305 https://www.ibm.com/support/docview.wss?uid=isg1IV96306 https://www.ibm.com/support/docview.wss?uid=isg1IV96307 https://www.ibm.com/support/docview.wss?uid=isg1IV96308 https://www.ibm.com/support/docview.wss?uid=isg1IV96309 https://www.ibm.com/support/docview.wss?uid=isg1IV96310 https://www.ibm.com/support/docview.wss?uid=isg1IV96311 https://www.ibm.com/support/docview.wss?uid=isg1IV96312 By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available. IV. WORKAROUNDS AND MITIGATIONS: None. =============================================================================== CONTACT US: Note: Keywords labeled as KEY in this document are used for parsing purposes. If you would like to receive AIX Security Advisories via email, please visit "My Notifications": http://www.ibm.com/support/mynotifications https://www.ibm.com/support/mynotifications To view previously issued advisories, please visit: http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq https://www14.software.ibm.com/webapp/set2/subscriptions/onvdq To obtain the OpenSSL public key that can be used to verify the signed advisories and ifixes: Download the key from our web page: http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt https://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt Please contact your local IBM AIX support center for any assistance. REFERENCES: Complete CVSS v3 Guide: http://www.first.org/cvss/user-guide https://www.first.org/cvss/user-guide On-line Calculator v3: http://www.first.org/cvss/calculator/3.0 https://www.first.org/cvss/calculator/3.0 ACKNOWLEDGEMENTS: None CHANGE HISTORY: First Issued: Thu Jul 6 14:53:51 CDT 2017 Updated: Wed Sep 13 11:08:51 CDT 2017 Update 1: Corrected the impacted Upper Level fileset levels. The following NTPv3 VRMFs are vulnerable: AIX 6.1.9: bos.net.tcp.client up to and including 6.1.9.201. AIX 7.1.3: bos.net.tcp.client up to and including 7.1.3.49. AIX 7.1.4: bos.net.tcp.client up to and including 7.1.4.31. AIX 7.2.0: bos.net.tcp.ntpd up to and including 7.2.0.3. AIX 7.2.1: bos.net.tcp.ntpd up to and including 7.2.1.1. The following NTPv4 VRMFs are vulnerable: ntp.rte 6.1: up to and including 6.1.6.9. ntp.rte 7.1: up to and including 7.1.0.9. Updated: Fri Oct 20 08:30:30 CDT 2017 Update 2: Corrected the impacted Upper Level fileset levels for 7100-04. The following NTPv3 VRMFs are vulnerable: AIX 7.1.4: bos.net.tcp.client up to and including 7.1.4.32. Corrected the APAR section to show that the relevant APARs are shipping in 7100-04-06, 7200-00-06, and 7200-01-04. | Updated: Mon Nov 13 14:32:25 CST 2017 | Update 3: Clarified that AIX 7100-04-05, 7200-00-05, and 7200-01-03 are | impacted. An additional iFix is provided for AIX 7100-04-05. The | iFixes already provided for 7200-00 and 7200-01 cover 7200-00-05 | and 7200-01-03. =============================================================================== *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.