Lucene search

CentOS ProjectNTP_ADVISORY6.ASC

HistoryJun 08, 2016 - 1:17 p.m.

Vulnerabilities in NTP affect AIX,Vulnerabilities in NTP affect VIOS

2016-06-0813:17:48

CentOS Project

aix.software.ibm.com

1415

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:P/A:P

0.082 Low

EPSS

Percentile

94.3%

JSON

ntp_advisory6.asc: Version 6
Version 6 Issued: Tue Aug 16 11:41:45 CDT 2016
Version 6 Changes: Fix added for AIX 7.2.0.2 and is now included in the
tar file, ntp_fix6.tar.
AIX 7.2.0.2 iFix for NTPv3: IV83995s2b.160713.epkg.Z

IBM SECURITY ADVISORY

First Issued: Wed Jun 8 13:17:48 CDT 2016
|Updated: Tue Aug 16 11:41:45 CDT 2016
|Update: Added iFix for AIX 7.2.0.2.

The most recent version of this document is available here:

http://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc
https://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc
ftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc

Security Bulletin: Vulnerabilities in NTP affect AIX
CVE-2015-7973 CVE-2015-7977 CVE-2015-7979 CVE-2015-8158
CVE-2015-8139 CVE-2015-8140

===============================================================================

SUMMARY:

There are multiple vulnerabilities in NTP that impact AIX.

===============================================================================

VULNERABILITY DETAILS:

CVEID: CVE-2015-7973
https://vulners.com/cve/CVE-2015-7973 
DESCRIPTION: NTP could allow a remote attacker to launch a replay attack.
    An attacker could exploit this vulnerability using authenticated
    broadcast mode packets to conduct a replay attack and gain
    unauthorized access to the system. 
CVSS Base Score: 5.4 
CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/110018 for more
    information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)

CVEID: CVE-2015-7977
https://vulners.com/cve/CVE-2015-7977
DESCRIPTION: NTP is vulnerable to a denial of service, caused by a NULL
    pointer dereference. By sending a specially crafted ntpdc reslist
    command, an attacker could exploit this vulnerability to cause a
    segmentation fault.
CVSS Base Score: 5.3
CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/110022 for more
    information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2015-7979
https://vulners.com/cve/CVE-2015-7979
DESCRIPTION: NTP could allow a remote attacker to bypass security
    restrictions. By sending specially crafted broadcast packets with bad
    authentication, an attacker could exploit this vulnerability to cause
    the target broadcast client to tear down the association with the
    broadcast server.
CVSS Base Score: 6.5
CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/110024 for more
    information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)

CVEID: CVE-2015-8139
https://vulners.com/cve/CVE-2015-8139
DESCRIPTION: NTP could allow a remote attacker to obtain sensitive
    information, caused by an origin leak in ntpq and ntpdc. An attacker
    could exploit this vulnerability to obtain sensitive information. 
CVSS Base Score: 5.3
CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/110027 for more
    information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2015-8140
https://vulners.com/cve/CVE-2015-8140
DESCRIPTION: NTP could allow a remote attacker to launch a replay attack.
    An attacker could exploit this vulnerability using ntpq to conduct a
    replay attack and gain unauthorized access to the system. 
CVSS Base Score: 5.3
CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/110028 for more
    information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2015-8158
https://vulners.com/cve/CVE-2015-8158
DESCRIPTION: NTP is vulnerable to a denial of service, caused by the
    improper processing of incoming packets by ntpq. By sending specially
    crafted data, an attacker could exploit this vulnerability to cause
    the application to enter into an infinite loop.
CVSS Base Score: 5.3
CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/110026 for more
    information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)


AFFECTED PRODUCTS AND VERSIONS:

    AIX 5.3, 6.1, 7.1, 7.2
    VIOS 2.2.x

    The following fileset levels are vulnerable:
    
    key_fileset = aix
    
    For NTPv3:

    Fileset             Lower Level  Upper Level KEY       PRODUCT(S)
    -----------------------------------------------------------------
    bos.net.tcp.client  5.3.12.0     5.3.12.10   key_w_fs  NTPv3
    bos.net.tcp.client  6.1.9.0      6.1.9.102   key_w_fs  NTPv3
    bos.net.tcp.client  7.1.3.0      7.1.3.47    key_w_fs  NTPv3
    bos.net.tcp.client  7.1.4.0      7.1.4.1     key_w_fs  NTPv3
    bos.net.tcp.ntp     7.2.0.0      7.2.0.2     key_w_fs  NTPv3
    bos.net.tcp.ntpd    7.2.0.0      7.2.0.2     key_w_fs  NTPv3


    For NTPv4:

    Fileset             Lower Level  Upper Level KEY       PRODUCT(S)
    -----------------------------------------------------------------
    ntp.rte             6.1.6.0      6.1.6.5     key_w_fs  NTPv4
    ntp.rte             7.1.0.0      7.1.0.5     key_w_fs  NTPv4
    
    Note:  to find out whether the affected filesets are installed 
    on your systems, refer to the lslpp command found in AIX user's guide.

    Example:  lslpp -L | grep -i ntp.rte 


REMEDIATION:

    A. APARS
        
        IBM has assigned the following APARs to this problem:

        For NTPv3:

        AIX Level APAR     Availability  SP   KEY         PRODUCT(S)
        ------------------------------------------------------------
        5.3.12    IV84269  N/A                key_w_apar  NTPv3
        6.1.9     IV83984  10/21/16      SP8  key_w_apar  NTPv3
        7.1.3     IV83993  1/27/17       SP8  key_w_apar  NTPv3
        7.1.4     IV83994  10/21/16      SP3  key_w_apar  NTPv3
        7.2.0     IV83995  1/27/17       SP3  key_w_apar  NTPv3

        For NTPv4:

        AIX Level APAR     Availability  SP   KEY         PRODUCT(S)
        ------------------------------------------------------------
        6.1.9     IV83992  10/21/16      SP8  key_w_apar  NTPv4
        7.1.3     IV83983  1/27/17       SP8  key_w_apar  NTPv4
        7.1.4     IV83983  10/21/16      SP3  key_w_apar  NTPv4
        7.2.0     IV83983  1/27/17       SP3  key_w_apar   NTPv4

        Subscribe to the APARs here:

        http://www.ibm.com/support/docview.wss?uid=isg1IV83983
        http://www.ibm.com/support/docview.wss?uid=isg1IV83984
        http://www.ibm.com/support/docview.wss?uid=isg1IV83992
        http://www.ibm.com/support/docview.wss?uid=isg1IV83993
        http://www.ibm.com/support/docview.wss?uid=isg1IV83994
        http://www.ibm.com/support/docview.wss?uid=isg1IV83995
        http://www.ibm.com/support/docview.wss?uid=isg1IV84269

        By subscribing, you will receive periodic email alerting you
        to the status of the APAR, and a link to download the fix once
        it becomes available.

    B. FIXES

        Fixes are available.

        The fixes can be downloaded via ftp or http from:

        ftp://aix.software.ibm.com/aix/efixes/security/ntp_fix6.tar
        http://aix.software.ibm.com/aix/efixes/security/ntp_fix6.tar
        https://aix.software.ibm.com/aix/efixes/security/ntp_fix6.tar 

        The link above is to a tar file containing this signed
        advisory, fix packages, and OpenSSL signatures for each package.
        The fixes below include prerequisite checking. This will
        enforce the correct mapping between the fixes and AIX
        Technology Levels.

        For NTPv3:

        AIX Level  Interim Fix (*.Z)         KEY        PRODUCT(S)
        ----------------------------------------------------------
        5.3.12.9   IV84269m9a.160522.epkg.Z  key_w_fix  NTPv3
        6.1.9.4    IV83984m4a.160506.epkg.Z  key_w_fix  NTPv3
        6.1.9.5    IV83984m5a.160510.epkg.Z  key_w_fix  NTPv3
        6.1.9.6    IV83984m6a.160504.epkg.Z  key_w_fix  NTPv3
        6.1.9.7    IV83984s7a.160622.epkg.Z  key_w_fix  NTPv3
        7.1.3.4    IV83993m4b.160510.epkg.Z  key_w_fix  NTPv3
        7.1.3.5    IV83993m5a.160510.epkg.Z  key_w_fix  NTPv3
        7.1.3.6    IV83993m6a.160505.epkg.Z  key_w_fix  NTPv3
        7.1.3.7    IV83993s7a.160714.epkg.Z  key_w_fix  NTPv3
        7.1.4.0    IV83994m1a.160505.epkg.Z  key_w_fix  NTPv3
        7.1.4.1    IV83994m1a.160505.epkg.Z  key_w_fix  NTPv3
        7.1.4.2    IV83994s2a.160620.epkg.Z  key_w_fix  NTPv3
        7.2.0.0    IV83995m0a.160510.epkg.Z  key_w_fix  NTPv3
        7.2.0.1    IV83995m1a.160601.epkg.Z  key_w_fix  NTPv3

| 7.2.0.2 IV83995s2b.160713.epkg.Z key_w_fix NTPv3

        VIOS Level  Interim Fix (*.Z)         KEY        PRODUCT(S)
        -----------------------------------------------------------
        2.2.4.0     IV83984m6a.160504.epkg.Z  key_w_fix  NTPv3
        2.2.4.2x    IV83984s7a.160622.epkg.Z  key_w_fix  NTPv3

        For NTPv4:

        AIX Level  Interim Fix (*.Z)         KEY        PRODUCT(S)
        ----------------------------------------------------------
        6.1.x      IV83992s5a.160602.epkg.Z  key_w_fix  NTPv4
        7.1.x      IV83983s5a.160602.epkg.Z  key_w_fix  NTPv4
        7.2.x      IV83983s5a.160602.epkg.Z  key_w_fix  NTPv4
        
        VIOS Level  Interim Fix (*.Z)         KEY        PRODUCT(S)
        -----------------------------------------------------------
        2.2.x       IV83992s5a.160602.epkg.Z  key_w_fix  NTPv4
        
        All fixes included are cumulative and address previously
        issued AIX NTP security bulletins with respect to SP and TL. 

        To extract the fixes from the tar file:

        tar xvf ntp_fix6.tar
        cd ntp_fix6

        Verify you have retrieved the fixes intact:

        The checksums below were generated using the
        "openssl dgst -sha256 file" command as the followng:

        openssl dgst -sha256                                              filename                 KEY
        -----------------------------------------------------------------------------------------------------
        1dde048eab83d5519a8331f2db377a010f6adccb24665eaebabf2d8fb55decda  IV83983s5a.160602.epkg.Z key_w_csum
        afbe3f7603602dc81f7a55dd68f7e00f6d6c90672cc91dca6d647a5e9455f470  IV83984m4a.160506.epkg.Z key_w_csum
        1df47de2dc201ac958da849a126b68f9c58c88ec4bd11ab0874465f25ba92878  IV83984m5a.160510.epkg.Z key_w_csum
        7b26d3a1e5e420e2c93febbd87f73806cdef506793abe7508d189ef6ee2596a7  IV83984m6a.160504.epkg.Z key_w_csum
        14ec9d1beab7335c197662ad57e112b17c25f2ffc13bb9b9767416b5dda9251b  IV83984s7a.160622.epkg.Z key_w_csum
        657a259c37c99aa990933f1ecd7719fcb07c7852acd3236bc33f932c45ad5bee  IV83992s5a.160602.epkg.Z key_w_csum
        cb890c4c7d3a0ab09fe10da469721737d2a4cbd3baa4da5214e68ce467a6b1b0  IV83993m4b.160510.epkg.Z key_w_csum
        3b78ac22352ec959be91a561f23b13912f7fbda00974d818c5a66bc332e85abc  IV83993m5a.160510.epkg.Z key_w_csum
        0c73bb6b7da724d29400c4398fb98bc3cfb45a88e9744879fcde6c421108bee6  IV83993m6a.160505.epkg.Z key_w_csum
        86998a1cb16cc5d5f941fe737709cd210754d85449a4cb280662026f6ef5bf09  IV83993s7a.160714.epkg.Z key_w_csum
        c3abfb2272f6a6793f2ef9c4d5e8a54cf5d60c20d49b65414a9c5d2d28b9c964  IV83994m1a.160505.epkg.Z key_w_csum
        540fcf0df555219d88619bac9e7de276010d26fad5957d5bac8decd19798bd93  IV83994s2a.160620.epkg.Z key_w_csum
        7b214849e3d46c41498eef287497e7576f89fe274ca4305a6b3e5eb7e2be63dd  IV83995m0a.160510.epkg.Z key_w_csum
        97c9b857e023d89fdfc22730938ea4127c7efce25628d76abdc86337f64f7a03  IV83995m1a.160601.epkg.Z key_w_csum

| ef7f0f4a205af86be406ed7b1258080f8e916e5e6fbc86a8b7cdd927f670cd29 IV83995s2b.160713.epkg.Z key_w_csum
732f0254ace2786f5e7ddadef10e1e64cc381ecf5d6ebb9131b64115f87e8d52 IV84269m9a.160522.epkg.Z key_w_csum

        These sums should match exactly. The OpenSSL signatures in the tar
        file and on this advisory can also be used to verify the
        integrity of the fixes.  If the sums or signatures cannot be
        confirmed, contact IBM AIX Security at
        [email protected] and describe the discrepancy.
        
        openssl dgst -sha1 -verify &lt;pubkey_file&gt; -signature &lt;advisory_file&gt;.sig &lt;advisory_file&gt;

        openssl dgst -sha1 -verify &lt;pubkey_file&gt; -signature &lt;ifix_file&gt;.sig &lt;ifix_file&gt;

        Published advisory OpenSSL signature file location:

        http://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc.sig
        https://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc.sig
        ftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc.sig 

    C. FIX AND INTERIM FIX INSTALLATION

        IMPORTANT: If possible, it is recommended that a mksysb backup
        of the system be created.  Verify it is both bootable and
        readable before proceeding.

        The fix will not take affect until any running xntpd servers
        have been stopped and restarted with the  following commands:

            stopsrc -s xntpd
            startsrc -s xntpd

        To preview a fix installation:

        installp -a -d fix_name -p all  # where fix_name is the name of the
                                    # fix package being previewed.
        To install a fix package:

        installp -a -d fix_name -X all  # where fix_name is the name of the
                                    # fix package being installed.

        After installation the ntp daemon must be restarted:

        stopsrc -s xntpd

        startsrc -s xntpd

        Interim fixes have had limited functional and regression
        testing but not the full regression testing that takes place
        for Service Packs; however, IBM does fully support them.

        Interim fix management documentation can be found at:

        http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html

        To preview an interim fix installation:

        emgr -e ipkg_name -p         # where ipkg_name is the name of the
                                     # interim fix package being previewed.

        To install an interim fix package:

        emgr -e ipkg_name -X         # where ipkg_name is the name of the
                                     # interim fix package being installed.

WORKAROUNDS AND MITIGATIONS:

    For CVE-2015-8139 and CVE-2015-8140:
    Monitor your ntpd instances.
    If this sort of attack is an active problem for you, you have deeper
    problems to investigate. Also consider having smaller NTP broadcast 
    domains. 
    If you must enable mode 7: 
        configure the use of a requestkey to control who can issue mode 7
        requests. 
        configure restrict noquery to further limit mode 7 requests to
        trusted sources.
    Don't use broadcast mode if you cannot monitor your client servers.

===============================================================================

Note: Keywords labeled as KEY in this document are used for parsing
purposes.

If you would like to receive AIX Security Advisories via email,
please visit "My Notifications":

    http://www.ibm.com/support/mynotifications

To view previously issued advisories, please visit:

    http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq

Comments regarding the content of this announcement can be
directed to:

    [email protected]

To obtain the OpenSSL public key that can be used to verify the
signed advisories and ifixes:

    Download the key from our web page:

http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt

To obtain the PGP public key that can be used to communicate
securely with the AIX Security Team via [email protected] you
can either:

    A. Download the key from our web page:

http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt

    B. Download the key from a PGP Public Key Server. The key ID is:

        0x28BFAA12

Please contact your local IBM AIX support center for any
assistance.

REFERENCES:

Complete CVSS v3 Guide:  http://www.first.org/cvss/user-guide
On-line Calculator v3:
    http://www.first.org/cvss/calculator/3.0

ACKNOWLEDGEMENTS:

None

CHANGE HISTORY:

First Issued: Wed Jun  8 13:17:48 CDT 2016 
Updated: Thu Jun  9 11:04:06 CDT 2016
Update: CVE-2015-8139 and CVE-2015-8140 added with clarified Workarounds
    and Mitigations section.
Updated: Mon Jun 20 10:45:48 CDT 2016
Update: Added iFix for AIX 7.1.4.2.
Updated: Wed Jun 22 10:25:29 CDT 2016 
Update: Added iFix for AIX 6.1.9.7 and VIOS 2.2.4.20.
Updated: Tue Jul 19 11:47:37 CDT 2016
Update: Added iFix for AIX 7.1.3.7.

| Updated: Tue Aug 16 11:41:45 CDT 2016
| Update: Added iFix for AIX 7.2.0.2.

===============================================================================

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an “industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.