Lucene search

CentOS ProjectNETTCP_ADVISORY2.ASC

HistoryJul 26, 2016 - 1:50 p.m.

Vulnerabilities in MD5 Signature and Hash Algorithm and TLS 1.2 affects sendmail imap and pop3d on AIX,Vulnerabilities in MD5 Signature and Hash Algorithm and TLS 1.2 affects sendmail imap and pop3d on AIX,Vulnerabilities in MD5 Signature and Hash Algorithm and TLS 1.2 affects sendmail imap and pop3d on VIOS,Vulnerabilities in MD5 Signature and Hash Algorithm and TLS 1.2 affects sendmail imap pop3d ftp/ftpd and ndpd-host/ndpd-router on AIX

2016-07-2613:50:13

CentOS Project

aix.software.ibm.com

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.004 Low

EPSS

Percentile

72.3%

JSON

nettcp_advisory2.asc: Version 4
Version 4 Issued: Thu Oct 20 10:56:28 CDT 2016
Version 4 Changes: New iFixes provided for AIX 5.3.12.9, 6.1.9.5, 6.1.9.6,
7.1.3.5, and 7.1.3.6. For security reasons, it is highly recommended
to install these new iFixes. Bulletin scope increased to include
ftp/ftpd and ndpd-host/ndpd-router.

IBM SECURITY ADVISORY

First Issued: Tue Jul 26 13:50:13 CDT 2016
|Updated: Thu Oct 20 10:56:28 CDT 2016
|Update: New iFixes provided for AIX 5.3.12.9, 6.1.9.5, 6.1.9.6,
| 7.1.3.5, and 7.1.3.6. Scope increased to include ftp/ftpd and
| ndpd-host/ndpd-router.

The most recent version of this document is available here:

http://aix.software.ibm.com/aix/efixes/security/nettcp_advisory2.asc
https://aix.software.ibm.com/aix/efixes/security/nettcp_advisory2.asc
ftp://aix.software.ibm.com/aix/efixes/security/nettcp_advisory2.asc

Security Bulletin: Vulnerabilities in MD5 Signature and Hash Algorithm and
| TLS 1.2 affects sendmail, imap, pop3d, ftp/ftpd, and ndpd-host/ndpd-router
| on AIX (CVE-2015-7575 and CVE-2016-0266)

===============================================================================

SUMMARY:

| TLS 1.2 is not the default communication for sendmail, imap, pop3d,
| ftp/ftdp, and ndpd-host/ndpd-router, and TLS 1.2 is impacted by the MD5
| Sloth vulnerability.

===============================================================================

VULNERABILITY DETAILS:

CVEID: CVE-2015-7575
https://vulners.com/cve/CVE-2015-7575
DESCRIPTION: The TLS protocol could allow weaker than expected security 
    caused by a collision attack when using the MD5 hash function for 
    signing a ServerKeyExchange message during a TLS handshake. An
    attacker could exploit this vulnerability using man-in-the-middle 
    techniques to impersonate a TLS server and obtain credentials.
CVSS Base Score: 7.1
CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/109415 for more
    information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)

CVEID: CVE-2016-0266
https://vulners.com/cve/CVE-2016-0266
DESCRIPTION: IBM AIX does not require the newest version of TLS by default 
    which could allow a remote attacker to obtain sensitive information 
    using man in the middle techniques. 
CVSS Base Score: 3.7
CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/110911 for more
    information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) 

AFFECTED PRODUCTS AND VERSIONS:

    AIX 5.3, 6.1, 7.1, 7.2
    VIOS 2.2.x

    The following fileset levels are vulnerable:
    
    key_fileset = aix

    Fileset                 Lower Level  Upper Level KEY 
    ---------------------------------------------------------
    bos.net.tcp.client      5.3.12.0     5.3.12.10   key_w_fs
    bos.net.tcp.server      5.3.12.0     5.3.12.6    key_w_fs
    bos.net.tcp.client      6.1.9.0      6.1.9.102   key_w_fs
    bos.net.tcp.server      6.1.9.0      6.1.9.101   key_w_fs
    bos.net.tcp.client      7.1.3.0      7.1.3.47    key_w_fs
    bos.net.tcp.server      7.1.3.0      7.1.3.47    key_w_fs
    bos.net.tcp.client      7.1.4.0      7.1.4.1     key_w_fs
    bos.net.tcp.server      7.1.4.0      7.1.4.1     key_w_fs
    bos.net.tcp.imapd       7.2.0.0      7.2.0.0     key_w_fs
    bos.net.tcp.pop3d       7.2.0.0      7.2.0.0     key_w_fs
    bos.net.tcp.sendmail    7.2.0.0      7.2.0.0     key_w_fs
    
    Note:  to find out whether the affected filesets are installed 
    on your systems, refer to the lslpp command found in AIX user's guide.

    Example:  lslpp -L | grep -i bos.net.tcp.client

REMEDIATION:

    A. APARS
        
        IBM has assigned the following APARs to this problem:

        AIX Level APAR     Availability  SP   KEY
        ------------------------------------------------
        5.3.12    IV86120  N/A           N/A  key_w_apar
        6.1.9     IV86116  10/21/16      SP8  key_w_apar
        7.1.3     IV86117  1/27/17       SP8  key_w_apar
        7.1.4     IV86118  10/21/16      SP3  key_w_apar
        7.2.0     IV86119  1/27/17       SP3  key_w_apar
        7.2.0     IV86132  1/27/17       SP3  key_w_apar

        Subscribe to the APARs here:

        http://www.ibm.com/support/docview.wss?uid=isg1IV86120
        http://www.ibm.com/support/docview.wss?uid=isg1IV86116
        http://www.ibm.com/support/docview.wss?uid=isg1IV86117
        http://www.ibm.com/support/docview.wss?uid=isg1IV86118
        http://www.ibm.com/support/docview.wss?uid=isg1IV86119
        http://www.ibm.com/support/docview.wss?uid=isg1IV86132

        By subscribing, you will receive periodic email alerting you
        to the status of the APAR, and a link to download the fix once
        it becomes available.

    B. FIXES

        Fixes are available.

        The fixes can be downloaded via ftp or http from:

        ftp://aix.software.ibm.com/aix/efixes/security/nettcp_fix2.tar
        http://aix.software.ibm.com/aix/efixes/security/nettcp_fix2.tar
        https://aix.software.ibm.com/aix/efixes/security/nettcp_fix2.tar 

        The link above is to a tar file containing this signed
        advisory, fix packages, and OpenSSL signatures for each package.
        The fixes below include prerequisite checking. This will
        enforce the correct mapping between the fixes and AIX
        Technology Levels.
       
        NOTE: for 7.2.0, two fixes are listed.  Both fixes need to be
        installed to remediate both CVE-2015-7575 and CVE-2016-0266.

| NOTE: for AIX 5.3.12.9, 6.1.9.5, 6.1.9.6, 7.1.3.5, and 7.1.3.6,
| the iFixes have been separated by application. Please check the
| subsequent tables.

        AIX Level  Interim Fix (*.Z)         KEY
        ----------------------------------------------
        6.1.9.7    IV86116m7a.160701.epkg.Z  key_w_fix
        7.1.3.7    IV86117m7a.160725.epkg.Z  key_w_fix 
        7.1.4.x    IV86118m2a.160701.epkg.Z  key_w_fix
        7.2.0.x    IV86119s0a.160701.epkg.Z  key_w_fix
        7.2.0.x    IV86132s0a.160701.epkg.Z  key_w_fix
        
        VIOS Level  Interim Fix (*.Z)         KEY
        -----------------------------------------------
        2.2.4.2x    IV86116m7a.160701.epkg.Z  key_w_fix

        The above fixes are cumulative and address previously issued
        AIX sendmail, imap, and pop3d security bulletins with respect to
        SP and TL.

| For AIX 5.3.12, 6.1.9.5, 6.1.9.6, 7.1.3.5, and 7.1.3.6:

| BIND:

AIX Level Interim Fix (*.Z) KEY PRODUCT(S)
5.3.12.9 IV88957m9a.160910.epkg.Z key_w_fix BIND
6.1.9.5 IV79071m5a.160901.epkg.Z key_w_fix BIND
6.1.9.6 IV79071m6a.161017.epkg.Z key_w_fix BIND
7.1.3.5 IV82331m5a.160830.epkg.Z key_w_fix BIND
7.1.3.6 IV82331m6a.160901.epkg.Z key_w_fix BIND

| ftp/ftpd:

AIX Level Interim Fix (*.Z) KEY PRODUCT(S)
6.1.9.5 IV78624m5a.160830.epkg.Z key_w_fix ftp/ftpd
7.1.3.5 IV82327m5a.160830.epkg.Z key_w_fix ftp/ftpd
7.1.3.6 IV82327s6a.160901.epkg.Z key_w_fix ftp/ftpd

| NOTE: ftp/fptd on AIX 5.3.12.9 and 6.1.9.6 are not impacted.

| imapd/pop3d:

AIX Level Interim Fix (*.Z) KEY PRODUCT(S)
5.3.12.9 IV88959m9a.160915.epkg.Z key_w_fix imapd/pop3d
6.1.9.5 IV79070m5a.160901.epkg.Z key_w_fix imapd/pop3d
6.1.9.6 IV79070m6a.160902.epkg.Z key_w_fix imapd/pop3d
7.1.3.5 IV82330m5a.160831.epkg.Z key_w_fix imapd/pop3d
7.1.3.6 IV82330m6a.160831.epkg.Z key_w_fix imapd/pop3d

| ndpd-host/ndpd-router

AIX Level Interim Fix (*.Z) KEY PRODUCT(S)
6.1.9.5 IV79072s5a.160830.epkg.Z key_w_fix ndpd-host/ndpd-router
6.1.9.6 IV79072s6a.160902.epkg.Z key_w_fix ndpd-host/ndpd-router
7.1.3.5 IV82412s5a.160829.epkg.Z key_w_fix ndpd-host/ndpd-router
7.1.3.6 IV82412s6a.160901.epkg.Z key_w_fix ndpd-host/ndpd-router

| NOTE: ndpd-host/ndpd-router on AIX 5.3.12.9 is not impacted.

| sendmail:

AIX Level Interim Fix (*.Z) KEY PRODUCT(S)
5.3.12.9 IV88960m9a.160913.epkg.Z key_w_fix sendmail
6.1.9.5 IV78625m5a.160901.epkg.Z key_w_fix sendmail
6.1.9.6 IV86116s6a.160812.epkg.Z key_w_fix sendmail
7.1.3.5 IV82328m5a.160830.epkg.Z key_w_fix sendmail
7.1.3.6 IV82328m6a.160901.epkg.Z key_w_fix sendmail

| NOTE: sendmail on AIX 6.1.9.6 is not impacted by CVE-2016-0266
| but does require a fix for CVE-2015-7575.

        To extract the fixes from the tar file:

        tar xvf nettcp_fix2.tar
        cd nettcp_fix2

        Verify you have retrieved the fixes intact:

        The checksums below were generated using the
        "openssl dgst -sha256 file" command as the following:

        openssl dgst -sha256                                              filename                 KEY
        -----------------------------------------------------------------------------------------------------
        19be8bf993b80dced370485fa37f7cc0980e2e4dcb3497464a314369663fb500  IV86116m7a.160701.epkg.Z key_w_csum
        58e43a9088d29617bb625507cad0ac9c0037d19ee9d135475846592933c9b9e0  IV86117m7a.160725.epkg.Z key_w_csum
        0fe05276879a6307d729ebf33110b98a40100d572d0b7ca2c2a58e41ce8de4e3  IV86118m2a.160701.epkg.Z key_w_csum
        14c10c55f68c73e99e62e8e5fcd565b982b73930f9e678253da42ffd720b2f99  IV86119s0a.160701.epkg.Z key_w_csum
        ff18bd41e58da820ce5333cdb8fa935c48c6a6f83e5a79be6dbcfc4ad2743691  IV86132s0a.160701.epkg.Z key_w_csum

| 73faebb99210c2107f04504a21bb97847de77ff9d51eaf61f4e4aa1da9c5b9c9 IV79071m5a.160901.epkg.Z key_w_csum
| 6fa7e6eea5e67782eb4bdfa6c23f4a4e2f852b1f0ffc465b3757a6377114cd00 IV79071m6a.161017.epkg.Z key_w_csum
| 8fc455651e6f2042036bf5c7965128c157c7d8c8d2a3088fa68a72d553dbb304 IV82331m5a.160830.epkg.Z key_w_csum
| 874ebdcb6c68872239bb4f3e9f9de4a65865b1664bbfc221f2dd43a34d7b4ecf IV82331m6a.160901.epkg.Z key_w_csum
| f9ab17151047a24550777431d14516b78e564df1e2cdd485b284c2427ab453f2 IV88957m9a.160910.epkg.Z key_w_csum
| bd7e051c33238a81d801aaf8618df66bf82675a963b531184dfdd794f139f3c8 IV78624m5a.160830.epkg.Z key_w_csum
| 5971f59fdb32ae2f5aa204f3fdd4498e1eccd0203790b6fb33e95a54c493954d IV82327m5a.160830.epkg.Z key_w_csum
| 540f0da075ed2443538cdb4e5c6cd1385a03f6f867183a554852051946f91ee6 IV82327s6a.160901.epkg.Z key_w_csum
| c0df29486c037a1ce2a4a55342f0b989e66e3d89ad9ce7bc2b12d8354682d18d IV79070m5a.160901.epkg.Z key_w_csum
| 9ed31810ee3ab4cbdc4b92d4b9198602b78bd7cd2d326701140b177fab7800d6 IV79070m6a.160902.epkg.Z key_w_csum
| a335226603ad6f65a54e1d444b58d846dd83fb1a7f1b86f0c4a40ca130bf7b23 IV82330m5a.160831.epkg.Z key_w_csum
| 3ffbcb4cf2761d62f54ca804c2aca7be7bdb3d2165920f8df1846959732e7948 IV82330m6a.160831.epkg.Z key_w_csum
| f0aa49945aaaf6baca39a9ad172755065da2ab9e03487153ad308e29428de5eb IV88959m9a.160915.epkg.Z key_w_csum
| 3f5fbf506225091755f8b2286f24be51e4c61c89f648c69fcbd331772948e2f0 IV79072s5a.160830.epkg.Z key_w_csum
| dd3abf459c791cf7c39e45d06dfa68efa2770c30e38f64388c029cfbc4a55834 IV79072s6a.160902.epkg.Z key_w_csum
| d8bf82ffa304af2fbf6cfcfb8d38b7f24472b8a6824229786d9621179c4fb7b3 IV82412s5a.160829.epkg.Z key_w_csum
| dc7acd163d96bbdf7f8c627d89c49841c3c922939c5c2163be6abb9d3d79db8b IV82412s6a.160901.epkg.Z key_w_csum
| 1a844faadf0bbc320e9d07cabe88ce47947f470938bf24ac38906ff2e841b4ad IV78625m5a.160901.epkg.Z key_w_csum
| e0add136d22460839189a3b36dfd2f2ba9c94f57ccc5e00d32e1388de0843a32 IV86116s6a.160812.epkg.Z key_w_csum
| 46c472ee150dcb91992b2453d5827d5586e565f853c5d07b241796b0bad69240 IV82328m5a.160830.epkg.Z key_w_csum
| c141299520481a2aa7a017cbdd99b361ea8861127942f75b67a8379f80890145 IV82328m6a.160901.epkg.Z key_w_csum
| 3c59b5a7ee362809302eb1a8154842a7f5373bc2df63b99a147f79e4448faceb IV88960m9a.160913.epkg.Z key_w_csum

        These sums should match exactly. The OpenSSL signatures in the tar
        file and on this advisory can also be used to verify the
        integrity of the fixes.  If the sums or signatures cannot be
        confirmed, contact IBM AIX Security at
        [email protected] and describe the discrepancy.
       
        openssl dgst -sha1 -verify &lt;pubkey_file&gt; -signature &lt;advisory_file&gt;.sig &lt;advisory_file&gt;

        openssl dgst -sha1 -verify &lt;pubkey_file&gt; -signature &lt;ifix_file&gt;.sig &lt;ifix_file&gt;

        Published advisory OpenSSL signature file location:

        http://aix.software.ibm.com/aix/efixes/security/nettcp_advisory2.asc.sig
        https://aix.software.ibm.com/aix/efixes/security/nettcp_advisory2.asc.sig
        ftp://aix.software.ibm.com/aix/efixes/security/nettcp_advisory2.asc.sig 

    C. FIX AND INTERIM FIX INSTALLATION

        IMPORTANT: If possible, it is recommended that a mksysb backup
        of the system be created.  Verify it is both bootable and
        readable before proceeding.

        To preview a fix installation:

        installp -a -d fix_name -p all  # where fix_name is the name of the
                                    # fix package being previewed.
        To install a fix package:

        installp -a -d fix_name -X all  # where fix_name is the name of the
                                    # fix package being installed.

        Interim fixes have had limited functional and regression
        testing but not the full regression testing that takes place
        for Service Packs; however, IBM does fully support them.

        Interim fix management documentation can be found at:

        http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html

        To preview an interim fix installation:

        emgr -e ipkg_name -p         # where ipkg_name is the name of the
                                     # interim fix package being previewed.

        To install an interim fix package:

        emgr -e ipkg_name -X         # where ipkg_name is the name of the
                                     # interim fix package being installed.

WORKAROUNDS AND MITIGATIONS:

    None.

===============================================================================

Note: Keywords labeled as KEY in this document are used for parsing
purposes.

If you would like to receive AIX Security Advisories via email,
please visit "My Notifications":

    http://www.ibm.com/support/mynotifications

To view previously issued advisories, please visit:

    http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq

Comments regarding the content of this announcement can be
directed to:

    [email protected]

To obtain the OpenSSL public key that can be used to verify the
signed advisories and ifixes:

    Download the key from our web page:

http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt

To obtain the PGP public key that can be used to communicate
securely with the AIX Security Team via [email protected] you
can either:

    A. Download the key from our web page:

http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt

    B. Download the key from a PGP Public Key Server. The key ID is:

        0x28BFAA12

Please contact your local IBM AIX support center for any
assistance.

REFERENCES:

Complete CVSS v3 Guide:  http://www.first.org/cvss/user-guide
On-line Calculator v3:
    http://www.first.org/cvss/calculator/3.0

ACKNOWLEDGEMENTS:

None

CHANGE HISTORY:

First Issued: Tue Jul 26 13:50:13 CDT 2016 
Updated: Thu Aug  4 12:27:57 CDT 2016
Update: Clarified that the fixes provided for AIX 7.1.4 and 7.2.0 are
    compatible across previous SPs for the respective TL.
Updated: Tue Aug  9 09:31:01 CDT 2016
Update: Additional iFixes provided for AIX 6.1.9.5, 6.1.9.6,
    7.1.3.5, and 7.1.3.6.

| Updated: Thu Oct 20 10:56:28 CDT 2016
| Update: New iFixes provided for AIX 5.3.12.9, 6.1.9.5, 6.1.9.6,
| 7.1.3.5, and 7.1.3.6. Scope increased to include ftp/ftpd and
| ndpd-host/ndpd-router.

===============================================================================

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an “industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.