5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.004 Low
EPSS
Percentile
72.3%
nettcp_advisory2.asc: Version 4
Version 4 Issued: Thu Oct 20 10:56:28 CDT 2016
Version 4 Changes: New iFixes provided for AIX 5.3.12.9, 6.1.9.5, 6.1.9.6,
7.1.3.5, and 7.1.3.6. For security reasons, it is highly recommended
to install these new iFixes. Bulletin scope increased to include
ftp/ftpd and ndpd-host/ndpd-router.
IBM SECURITY ADVISORY
First Issued: Tue Jul 26 13:50:13 CDT 2016
|Updated: Thu Oct 20 10:56:28 CDT 2016
|Update: New iFixes provided for AIX 5.3.12.9, 6.1.9.5, 6.1.9.6,
| 7.1.3.5, and 7.1.3.6. Scope increased to include ftp/ftpd and
| ndpd-host/ndpd-router.
The most recent version of this document is available here:
http://aix.software.ibm.com/aix/efixes/security/nettcp_advisory2.asc
https://aix.software.ibm.com/aix/efixes/security/nettcp_advisory2.asc
ftp://aix.software.ibm.com/aix/efixes/security/nettcp_advisory2.asc
Security Bulletin: Vulnerabilities in MD5 Signature and Hash Algorithm and
| TLS 1.2 affects sendmail, imap, pop3d, ftp/ftpd, and ndpd-host/ndpd-router
| on AIX (CVE-2015-7575 and CVE-2016-0266)
===============================================================================
SUMMARY:
| TLS 1.2 is not the default communication for sendmail, imap, pop3d,
| ftp/ftdp, and ndpd-host/ndpd-router, and TLS 1.2 is impacted by the MD5
| Sloth vulnerability.
===============================================================================
VULNERABILITY DETAILS:
CVEID: CVE-2015-7575
https://vulners.com/cve/CVE-2015-7575
DESCRIPTION: The TLS protocol could allow weaker than expected security
caused by a collision attack when using the MD5 hash function for
signing a ServerKeyExchange message during a TLS handshake. An
attacker could exploit this vulnerability using man-in-the-middle
techniques to impersonate a TLS server and obtain credentials.
CVSS Base Score: 7.1
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/109415 for more
information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N)
CVEID: CVE-2016-0266
https://vulners.com/cve/CVE-2016-0266
DESCRIPTION: IBM AIX does not require the newest version of TLS by default
which could allow a remote attacker to obtain sensitive information
using man in the middle techniques.
CVSS Base Score: 3.7
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/110911 for more
information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
AFFECTED PRODUCTS AND VERSIONS:
AIX 5.3, 6.1, 7.1, 7.2
VIOS 2.2.x
The following fileset levels are vulnerable:
key_fileset = aix
Fileset Lower Level Upper Level KEY
---------------------------------------------------------
bos.net.tcp.client 5.3.12.0 5.3.12.10 key_w_fs
bos.net.tcp.server 5.3.12.0 5.3.12.6 key_w_fs
bos.net.tcp.client 6.1.9.0 6.1.9.102 key_w_fs
bos.net.tcp.server 6.1.9.0 6.1.9.101 key_w_fs
bos.net.tcp.client 7.1.3.0 7.1.3.47 key_w_fs
bos.net.tcp.server 7.1.3.0 7.1.3.47 key_w_fs
bos.net.tcp.client 7.1.4.0 7.1.4.1 key_w_fs
bos.net.tcp.server 7.1.4.0 7.1.4.1 key_w_fs
bos.net.tcp.imapd 7.2.0.0 7.2.0.0 key_w_fs
bos.net.tcp.pop3d 7.2.0.0 7.2.0.0 key_w_fs
bos.net.tcp.sendmail 7.2.0.0 7.2.0.0 key_w_fs
Note: to find out whether the affected filesets are installed
on your systems, refer to the lslpp command found in AIX user's guide.
Example: lslpp -L | grep -i bos.net.tcp.client
REMEDIATION:
A. APARS
IBM has assigned the following APARs to this problem:
AIX Level APAR Availability SP KEY
------------------------------------------------
5.3.12 IV86120 N/A N/A key_w_apar
6.1.9 IV86116 10/21/16 SP8 key_w_apar
7.1.3 IV86117 1/27/17 SP8 key_w_apar
7.1.4 IV86118 10/21/16 SP3 key_w_apar
7.2.0 IV86119 1/27/17 SP3 key_w_apar
7.2.0 IV86132 1/27/17 SP3 key_w_apar
Subscribe to the APARs here:
http://www.ibm.com/support/docview.wss?uid=isg1IV86120
http://www.ibm.com/support/docview.wss?uid=isg1IV86116
http://www.ibm.com/support/docview.wss?uid=isg1IV86117
http://www.ibm.com/support/docview.wss?uid=isg1IV86118
http://www.ibm.com/support/docview.wss?uid=isg1IV86119
http://www.ibm.com/support/docview.wss?uid=isg1IV86132
By subscribing, you will receive periodic email alerting you
to the status of the APAR, and a link to download the fix once
it becomes available.
B. FIXES
Fixes are available.
The fixes can be downloaded via ftp or http from:
ftp://aix.software.ibm.com/aix/efixes/security/nettcp_fix2.tar
http://aix.software.ibm.com/aix/efixes/security/nettcp_fix2.tar
https://aix.software.ibm.com/aix/efixes/security/nettcp_fix2.tar
The link above is to a tar file containing this signed
advisory, fix packages, and OpenSSL signatures for each package.
The fixes below include prerequisite checking. This will
enforce the correct mapping between the fixes and AIX
Technology Levels.
NOTE: for 7.2.0, two fixes are listed. Both fixes need to be
installed to remediate both CVE-2015-7575 and CVE-2016-0266.
| NOTE: for AIX 5.3.12.9, 6.1.9.5, 6.1.9.6, 7.1.3.5, and 7.1.3.6,
| the iFixes have been separated by application. Please check the
| subsequent tables.
AIX Level Interim Fix (*.Z) KEY
----------------------------------------------
6.1.9.7 IV86116m7a.160701.epkg.Z key_w_fix
7.1.3.7 IV86117m7a.160725.epkg.Z key_w_fix
7.1.4.x IV86118m2a.160701.epkg.Z key_w_fix
7.2.0.x IV86119s0a.160701.epkg.Z key_w_fix
7.2.0.x IV86132s0a.160701.epkg.Z key_w_fix
VIOS Level Interim Fix (*.Z) KEY
-----------------------------------------------
2.2.4.2x IV86116m7a.160701.epkg.Z key_w_fix
The above fixes are cumulative and address previously issued
AIX sendmail, imap, and pop3d security bulletins with respect to
SP and TL.
| For AIX 5.3.12, 6.1.9.5, 6.1.9.6, 7.1.3.5, and 7.1.3.6:
| BIND:
AIX Level Interim Fix (*.Z) KEY PRODUCT(S) |
---|
5.3.12.9 IV88957m9a.160910.epkg.Z key_w_fix BIND |
6.1.9.5 IV79071m5a.160901.epkg.Z key_w_fix BIND |
6.1.9.6 IV79071m6a.161017.epkg.Z key_w_fix BIND |
7.1.3.5 IV82331m5a.160830.epkg.Z key_w_fix BIND |
7.1.3.6 IV82331m6a.160901.epkg.Z key_w_fix BIND |
| ftp/ftpd:
AIX Level Interim Fix (*.Z) KEY PRODUCT(S) |
---|
6.1.9.5 IV78624m5a.160830.epkg.Z key_w_fix ftp/ftpd |
7.1.3.5 IV82327m5a.160830.epkg.Z key_w_fix ftp/ftpd |
7.1.3.6 IV82327s6a.160901.epkg.Z key_w_fix ftp/ftpd |
| NOTE: ftp/fptd on AIX 5.3.12.9 and 6.1.9.6 are not impacted.
| imapd/pop3d:
AIX Level Interim Fix (*.Z) KEY PRODUCT(S) |
---|
5.3.12.9 IV88959m9a.160915.epkg.Z key_w_fix imapd/pop3d |
6.1.9.5 IV79070m5a.160901.epkg.Z key_w_fix imapd/pop3d |
6.1.9.6 IV79070m6a.160902.epkg.Z key_w_fix imapd/pop3d |
7.1.3.5 IV82330m5a.160831.epkg.Z key_w_fix imapd/pop3d |
7.1.3.6 IV82330m6a.160831.epkg.Z key_w_fix imapd/pop3d |
| ndpd-host/ndpd-router
AIX Level Interim Fix (*.Z) KEY PRODUCT(S) |
---|
6.1.9.5 IV79072s5a.160830.epkg.Z key_w_fix ndpd-host/ndpd-router |
6.1.9.6 IV79072s6a.160902.epkg.Z key_w_fix ndpd-host/ndpd-router |
7.1.3.5 IV82412s5a.160829.epkg.Z key_w_fix ndpd-host/ndpd-router |
7.1.3.6 IV82412s6a.160901.epkg.Z key_w_fix ndpd-host/ndpd-router |
| NOTE: ndpd-host/ndpd-router on AIX 5.3.12.9 is not impacted.
| sendmail:
AIX Level Interim Fix (*.Z) KEY PRODUCT(S) |
---|
5.3.12.9 IV88960m9a.160913.epkg.Z key_w_fix sendmail |
6.1.9.5 IV78625m5a.160901.epkg.Z key_w_fix sendmail |
6.1.9.6 IV86116s6a.160812.epkg.Z key_w_fix sendmail |
7.1.3.5 IV82328m5a.160830.epkg.Z key_w_fix sendmail |
7.1.3.6 IV82328m6a.160901.epkg.Z key_w_fix sendmail |
| NOTE: sendmail on AIX 6.1.9.6 is not impacted by CVE-2016-0266
| but does require a fix for CVE-2015-7575.
To extract the fixes from the tar file:
tar xvf nettcp_fix2.tar
cd nettcp_fix2
Verify you have retrieved the fixes intact:
The checksums below were generated using the
"openssl dgst -sha256 file" command as the following:
openssl dgst -sha256 filename KEY
-----------------------------------------------------------------------------------------------------
19be8bf993b80dced370485fa37f7cc0980e2e4dcb3497464a314369663fb500 IV86116m7a.160701.epkg.Z key_w_csum
58e43a9088d29617bb625507cad0ac9c0037d19ee9d135475846592933c9b9e0 IV86117m7a.160725.epkg.Z key_w_csum
0fe05276879a6307d729ebf33110b98a40100d572d0b7ca2c2a58e41ce8de4e3 IV86118m2a.160701.epkg.Z key_w_csum
14c10c55f68c73e99e62e8e5fcd565b982b73930f9e678253da42ffd720b2f99 IV86119s0a.160701.epkg.Z key_w_csum
ff18bd41e58da820ce5333cdb8fa935c48c6a6f83e5a79be6dbcfc4ad2743691 IV86132s0a.160701.epkg.Z key_w_csum
| 73faebb99210c2107f04504a21bb97847de77ff9d51eaf61f4e4aa1da9c5b9c9 IV79071m5a.160901.epkg.Z key_w_csum
| 6fa7e6eea5e67782eb4bdfa6c23f4a4e2f852b1f0ffc465b3757a6377114cd00 IV79071m6a.161017.epkg.Z key_w_csum
| 8fc455651e6f2042036bf5c7965128c157c7d8c8d2a3088fa68a72d553dbb304 IV82331m5a.160830.epkg.Z key_w_csum
| 874ebdcb6c68872239bb4f3e9f9de4a65865b1664bbfc221f2dd43a34d7b4ecf IV82331m6a.160901.epkg.Z key_w_csum
| f9ab17151047a24550777431d14516b78e564df1e2cdd485b284c2427ab453f2 IV88957m9a.160910.epkg.Z key_w_csum
| bd7e051c33238a81d801aaf8618df66bf82675a963b531184dfdd794f139f3c8 IV78624m5a.160830.epkg.Z key_w_csum
| 5971f59fdb32ae2f5aa204f3fdd4498e1eccd0203790b6fb33e95a54c493954d IV82327m5a.160830.epkg.Z key_w_csum
| 540f0da075ed2443538cdb4e5c6cd1385a03f6f867183a554852051946f91ee6 IV82327s6a.160901.epkg.Z key_w_csum
| c0df29486c037a1ce2a4a55342f0b989e66e3d89ad9ce7bc2b12d8354682d18d IV79070m5a.160901.epkg.Z key_w_csum
| 9ed31810ee3ab4cbdc4b92d4b9198602b78bd7cd2d326701140b177fab7800d6 IV79070m6a.160902.epkg.Z key_w_csum
| a335226603ad6f65a54e1d444b58d846dd83fb1a7f1b86f0c4a40ca130bf7b23 IV82330m5a.160831.epkg.Z key_w_csum
| 3ffbcb4cf2761d62f54ca804c2aca7be7bdb3d2165920f8df1846959732e7948 IV82330m6a.160831.epkg.Z key_w_csum
| f0aa49945aaaf6baca39a9ad172755065da2ab9e03487153ad308e29428de5eb IV88959m9a.160915.epkg.Z key_w_csum
| 3f5fbf506225091755f8b2286f24be51e4c61c89f648c69fcbd331772948e2f0 IV79072s5a.160830.epkg.Z key_w_csum
| dd3abf459c791cf7c39e45d06dfa68efa2770c30e38f64388c029cfbc4a55834 IV79072s6a.160902.epkg.Z key_w_csum
| d8bf82ffa304af2fbf6cfcfb8d38b7f24472b8a6824229786d9621179c4fb7b3 IV82412s5a.160829.epkg.Z key_w_csum
| dc7acd163d96bbdf7f8c627d89c49841c3c922939c5c2163be6abb9d3d79db8b IV82412s6a.160901.epkg.Z key_w_csum
| 1a844faadf0bbc320e9d07cabe88ce47947f470938bf24ac38906ff2e841b4ad IV78625m5a.160901.epkg.Z key_w_csum
| e0add136d22460839189a3b36dfd2f2ba9c94f57ccc5e00d32e1388de0843a32 IV86116s6a.160812.epkg.Z key_w_csum
| 46c472ee150dcb91992b2453d5827d5586e565f853c5d07b241796b0bad69240 IV82328m5a.160830.epkg.Z key_w_csum
| c141299520481a2aa7a017cbdd99b361ea8861127942f75b67a8379f80890145 IV82328m6a.160901.epkg.Z key_w_csum
| 3c59b5a7ee362809302eb1a8154842a7f5373bc2df63b99a147f79e4448faceb IV88960m9a.160913.epkg.Z key_w_csum
These sums should match exactly. The OpenSSL signatures in the tar
file and on this advisory can also be used to verify the
integrity of the fixes. If the sums or signatures cannot be
confirmed, contact IBM AIX Security at
[email protected] and describe the discrepancy.
openssl dgst -sha1 -verify <pubkey_file> -signature <advisory_file>.sig <advisory_file>
openssl dgst -sha1 -verify <pubkey_file> -signature <ifix_file>.sig <ifix_file>
Published advisory OpenSSL signature file location:
http://aix.software.ibm.com/aix/efixes/security/nettcp_advisory2.asc.sig
https://aix.software.ibm.com/aix/efixes/security/nettcp_advisory2.asc.sig
ftp://aix.software.ibm.com/aix/efixes/security/nettcp_advisory2.asc.sig
C. FIX AND INTERIM FIX INSTALLATION
IMPORTANT: If possible, it is recommended that a mksysb backup
of the system be created. Verify it is both bootable and
readable before proceeding.
To preview a fix installation:
installp -a -d fix_name -p all # where fix_name is the name of the
# fix package being previewed.
To install a fix package:
installp -a -d fix_name -X all # where fix_name is the name of the
# fix package being installed.
Interim fixes have had limited functional and regression
testing but not the full regression testing that takes place
for Service Packs; however, IBM does fully support them.
Interim fix management documentation can be found at:
http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html
To preview an interim fix installation:
emgr -e ipkg_name -p # where ipkg_name is the name of the
# interim fix package being previewed.
To install an interim fix package:
emgr -e ipkg_name -X # where ipkg_name is the name of the
# interim fix package being installed.
WORKAROUNDS AND MITIGATIONS:
None.
===============================================================================
CONTACT US:
Note: Keywords labeled as KEY in this document are used for parsing
purposes.
If you would like to receive AIX Security Advisories via email,
please visit "My Notifications":
http://www.ibm.com/support/mynotifications
To view previously issued advisories, please visit:
http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq
Comments regarding the content of this announcement can be
directed to:
[email protected]
To obtain the OpenSSL public key that can be used to verify the
signed advisories and ifixes:
Download the key from our web page:
http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt
To obtain the PGP public key that can be used to communicate
securely with the AIX Security Team via [email protected] you
can either:
A. Download the key from our web page:
http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt
B. Download the key from a PGP Public Key Server. The key ID is:
0x28BFAA12
Please contact your local IBM AIX support center for any
assistance.
REFERENCES:
Complete CVSS v3 Guide: http://www.first.org/cvss/user-guide
On-line Calculator v3:
http://www.first.org/cvss/calculator/3.0
ACKNOWLEDGEMENTS:
None
CHANGE HISTORY:
First Issued: Tue Jul 26 13:50:13 CDT 2016
Updated: Thu Aug 4 12:27:57 CDT 2016
Update: Clarified that the fixes provided for AIX 7.1.4 and 7.2.0 are
compatible across previous SPs for the respective TL.
Updated: Tue Aug 9 09:31:01 CDT 2016
Update: Additional iFixes provided for AIX 6.1.9.5, 6.1.9.6,
7.1.3.5, and 7.1.3.6.
| Updated: Thu Oct 20 10:56:28 CDT 2016
| Update: New iFixes provided for AIX 5.3.12.9, 6.1.9.5, 6.1.9.6,
| 7.1.3.5, and 7.1.3.6. Scope increased to include ftp/ftpd and
| ndpd-host/ndpd-router.
===============================================================================
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an “industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.004 Low
EPSS
Percentile
72.3%