Vulnerabilities in NTP affect AIX,Vulnerabilities in NTP affect VIOS

ntp_advisory7.asc: Version 2
Version 2 Issued: Tue Sep 13 08:23:22 CDT 2016
Version 2 Changes: Changed the impacted upper level filesets listed for
NTPv4. The new levels should match the prereqs as listed in the
iFixes.

IBM SECURITY ADVISORY

First Issued: Tue Sep 6 09:07:16 CDT 2016
|Updated: Tue Sep 13 08:23:22 CDT 2016
|Update: Changed the impacted upper level filesets listed for NTPv4.

The most recent version of this document is available here:

http://aix.software.ibm.com/aix/efixes/security/ntp_advisory7.asc
https://aix.software.ibm.com/aix/efixes/security/ntp_advisory7.asc
ftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory7.asc

Security Bulletin: Vulnerabilities in NTP affect AIX
CVE-2015-7974 CVE-2016-1550 CVE-2016-1551 CVE-2016-2517 CVE-2016-2518
CVE-2016-2519 CVE-2016-1547 CVE-2016-4957 CVE-2016-4953 CVE-2016-4954
CVE-2016-4955

===============================================================================

SUMMARY:

There are multiple vulnerabilities in NTPv3 and NTPv4 that impact AIX. 

===============================================================================

VULNERABILITY DETAILS:

NTPv3 and NTPv4 are vulnerable to:

CVEID: CVE-2015-7974
https://vulners.com/cve/CVE-2015-7974 
DESCRIPTION: NTP could allow a remote authenticated attacker to conduct
    spoofing attacks, caused by a missing key check. An attacker could
    exploit this vulnerability to impersonate a peer. 
CVSS Base Score: 5.3
CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/110019 for more
    information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N)

CVEID: CVE-2016-1550 
https://vulners.com/cve/CVE-2016-1550
DESCRIPTION: NTP could allow a local attacker to bypass security
    restrictions, caused by the failure to use a constant-time memory
    comparison function when validating the authentication digest on
    incoming packets. By sending a specially crafted packet with an
    authentication payload, an attacker could exploit this vulnerability
    to conduct a timing attack to compute the value of the valid 
    authentication digest. 
CVSS Base Score: 4.0 
CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/112742 for more
    information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID: CVE-2016-1551
https://vulners.com/cve/CVE-2016-1551
DESCRIPTION: While the majority OSes implement martian packet filtering in
    their network stack, at least regarding 127.0.0.0/8, a rare few will
    allow packets claiming to be from 127.0.0.0/8 that arrive over
    physical network. On these OSes, if ntpd is configured to use a
    reference clock an attacker can inject packets over the network that
    look like they are coming from that reference clock. 
CVSS Base Score: 3.7
CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/112743 for more
    information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2016-2517
https://vulners.com/cve/CVE-2016-2517
DESCRIPTION: If ntpd was expressly configured to allow for remote
    configuration, a malicious user who knows the controlkey for ntpq or
    the requestkey for ntpdc (if mode7 is expressly enabled) can create a
    session with ntpd and then send a crafted packet to ntpd that will
    change the value of the trustedkey, controlkey, or requestkey to a
    value that will prevent any subsequent authentication with ntpd until
    ntpd is restarted. 
CVSS Base Score: 4.2
CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/112745 for more
    information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-2518
https://vulners.com/cve/CVE-2016-2518
DESCRIPTION: NTP is vulnerable to a denial of service, caused by an error
    when using a specially crafted packet to create a peer association
    with hmode > 7.  An attacker could exploit this vulnerability to
    cause the MATCH_ASSOC() function to trigger an out-of-bounds read.
CVSS Base Score: 2.0
CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/112746 for more
    information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-2519
https://vulners.com/cve/CVE-2016-2519
DESCRIPTION: NTP is vulnerable to a denial of service, caused by the
    failure to always check the ctl_getitem() function return value. By
    sending an overly large value, an attacker could exploit this 
    vulnerability to cause a denial of service.
CVSS Base Score: 4.2
CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/112747 for more
    information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H)


NTPv4 is additionally vulnerable to:

CVEID: CVE-2016-1547
https://vulners.com/cve/CVE-2016-1547
DESCRIPTION: NTP is vulnerable to a denial of service, caused by the
    demobilization of a preemptable client association. By sending
    specially crafted crypto NAK packets, an attacker could exploit this
    vulnerability to cause a denial of service. 
CVSS Base Score: 3.7
CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/112739 for more
    information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-4957
https://vulners.com/cve/CVE-2016-4957
DESCRIPTION: NTP is vulnerable to a denial of service, caused by the
    improper handling of packets. By sending specially crafted
    CRYPTO_NAK packets, an attacker could exploit this vulnerability to 
    cause ntpd to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/113695 for more
    information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-4953
https://vulners.com/cve/CVE-2016-4953
DESCRIPTION: NTP is vulnerable to a denial of service, caused by the
    improper handling of packets. By sending specially crafted
    CRYPTO_NAK packets to an ephemeral peer target prior to a response
    being sent, a remote attacker could exploit this vulnerability to 
    demobilize the ephemeral association.
CVSS Base Score: 3.7
CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/113696 for more
    information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-4954
https://vulners.com/cve/CVE-2016-4954
DESCRIPTION: NTP is vulnerable to a denial of service, caused by the
    improper handling of packets. By sending spoofed server packets with
    correct origin timestamps, a remote attacker could exploit this
    vulnerability to cause a false leap indication to be set. 
CVSS Base Score: 3.7
CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/113697 for more
    information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-4955
https://vulners.com/cve/CVE-2016-4955
DESCRIPTION: NTP is vulnerable to a denial of service, caused by the
    improper handling of packets. By sending spoofed CRYPTO_NAK or a bad
    MAC packets with correct origin timestamps, a remote attacker could
    exploit this vulnerability to cause the autokey association to reset.
CVSS Base Score: 3.7
CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/113698 for more
    information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)


AFFECTED PRODUCTS AND VERSIONS:

    AIX 5.3, 6.1, 7.1, 7.2
    VIOS 2.2.x

    The following fileset levels are vulnerable:
    
    key_fileset = aix
    
    For NTPv3:

    Fileset             Lower Level  Upper Level KEY       PRODUCT(S)
    -----------------------------------------------------------------
    bos.net.tcp.client  5.3.12.0     5.3.12.10   key_w_fs  NTPv3
    bos.net.tcp.client  6.1.9.0      6.1.9.102   key_w_fs  NTPv3
    bos.net.tcp.client  7.1.3.0      7.1.3.47    key_w_fs  NTPv3
    bos.net.tcp.client  7.1.4.0      7.1.4.1     key_w_fs  NTPv3
    bos.net.tcp.ntp     7.2.0.0      7.2.0.2     key_w_fs  NTPv3
    bos.net.tcp.ntpd    7.2.0.0      7.2.0.2     key_w_fs  NTPv3


    For NTPv4:

    Fileset             Lower Level  Upper Level KEY       PRODUCT(S)
    -----------------------------------------------------------------

| ntp.rte 6.1.6.0 6.1.6.7 key_w_fs NTPv4
| ntp.rte 7.1.0.0 7.1.0.7 key_w_fs NTPv4

    Note:  to find out whether the affected filesets are installed 
    on your systems, refer to the lslpp command found in AIX user's guide.

    Example:  lslpp -L | grep -i ntp.rte 


REMEDIATION:

    A. APARS
        
        IBM has assigned the following APARs to this problem:

        For NTPv3:

        AIX Level APAR     Availability  SP   KEY         PRODUCT(S)
        ------------------------------------------------------------
        5.3.12    IV87614  N/A                key_w_apar  NTPv3
        6.1.9     IV87419  11/11/16      SP8  key_w_apar  NTPv3
        7.1.3     IV87615  1/27/17       SP8  key_w_apar  NTPv3
        7.1.4     IV87420  11/11/16      SP3  key_w_apar  NTPv3
        7.2.0     IV87939  1/27/17       SP3  key_w_apar  NTPv3

        For NTPv4:

        AIX Level APAR     Availability  SP   KEY         PRODUCT(S)
        ------------------------------------------------------------
        6.1.9     IV87278  11/11/16      SP8  key_w_apar  NTPv4
        7.1.3     IV87279  1/27/17       SP8  key_w_apar  NTPv4
        7.1.4     IV87279  11/11/16      SP3  key_w_apar  NTPv4
        7.2.0     IV87279  1/27/17       SP3  key_w_apar  NTPv4

        Subscribe to the APARs here:

        http://www.ibm.com/support/docview.wss?uid=isg1IV87614
        http://www.ibm.com/support/docview.wss?uid=isg1IV87419
        http://www.ibm.com/support/docview.wss?uid=isg1IV87615
        http://www.ibm.com/support/docview.wss?uid=isg1IV87420
        http://www.ibm.com/support/docview.wss?uid=isg1IV87939
        http://www.ibm.com/support/docview.wss?uid=isg1IV87278
        http://www.ibm.com/support/docview.wss?uid=isg1IV87279

        By subscribing, you will receive periodic email alerting you
        to the status of the APAR, and a link to download the fix once
        it becomes available.

    B. FIXES

        Fixes are available.

        The fixes can be downloaded via ftp or http from:

        ftp://aix.software.ibm.com/aix/efixes/security/ntp_fix7.tar
        http://aix.software.ibm.com/aix/efixes/security/ntp_fix7.tar
        https://aix.software.ibm.com/aix/efixes/security/ntp_fix7.tar 

        The link above is to a tar file containing this signed
        advisory, fix packages, and OpenSSL signatures for each package.
        The fixes below include prerequisite checking. This will
        enforce the correct mapping between the fixes and AIX
        Technology Levels.

        For NTPv3:

        AIX Level  Interim Fix (*.Z)         KEY        PRODUCT(S)
        ----------------------------------------------------------
        5.3.12.9   IV87614m9a.160901.epkg.Z  key_w_fix  NTPv3
        6.1.9.5    IV87419m5d.160823.epkg.Z  key_w_fix  NTPv3
        6.1.9.6    IV87419m6a.160823.epkg.Z  key_w_fix  NTPv3
        6.1.9.7    IV87419m7a.160901.epkg.Z  key_w_fix  NTPv3
        7.1.3.5    IV87615m5a.160823.epkg.Z  key_w_fix  NTPv3
        7.1.3.6    IV87615m6a.160824.epkg.Z  key_w_fix  NTPv3
        7.1.3.7    IV87615m7a.160901.epkg.Z  key_w_fix  NTPv3
        7.1.4.0    IV87420m0a.160825.epkg.Z  key_w_fix  NTPv3
        7.1.4.1    IV87420m0a.160825.epkg.Z  key_w_fix  NTPv3
        7.1.4.2    IV87420m2a.160901.epkg.Z  key_w_fix  NTPv3
        7.2.0.0    IV87939m0b.160830.epkg.Z  key_w_fix  NTPv3
        7.2.0.1    IV87939m0b.160830.epkg.Z  key_w_fix  NTPv3
        7.2.0.2    IV87939m2a.160901.epkg.Z  key_w_fix  NTPv3

        VIOS Level  Interim Fix (*.Z)         KEY        PRODUCT(S)
        -----------------------------------------------------------
        2.2.4.0     IV87419m6a.160823.epkg.Z  key_w_fix  NTPv3
        2.2.4.2x    IV87419m7a.160901.epkg.Z  key_w_fix  NTPv3

        For NTPv4:

        AIX Level  Interim Fix (*.Z)         KEY        PRODUCT(S)
        ----------------------------------------------------------
        6.1.x      IV87278s7a.160901.epkg.Z  key_w_fix  NTPv4
        7.1.x      IV87279s7a.160901.epkg.Z  key_w_fix  NTPv4
        7.2.x      IV87279s7a.160901.epkg.Z  key_w_fix  NTPv4
        
        VIOS Level  Interim Fix (*.Z)         KEY        PRODUCT(S)
        -----------------------------------------------------------
        2.2.x       IV87278s7a.160901.epkg.Z  key_w_fix  NTPv4
        
        All fixes included are cumulative and address previously
        issued AIX NTP security bulletins with respect to SP and TL. 

        To extract the fixes from the tar file:

        tar xvf ntp_fix7.tar
        cd ntp_fix7

        Verify you have retrieved the fixes intact:

        The checksums below were generated using the
        "openssl dgst -sha256 file" command as the followng:

        openssl dgst -sha256                                              filename                 KEY
        -----------------------------------------------------------------------------------------------------
        42f8a7cc469eb8db7b447b8bf37561ff1ac5b5b98f9ceac9cb5d6c31797a084f  IV87278s7a.160901.epkg.Z key_w_csum
        74b64a7d219f1bb91e9979191b329e74ebd3ae453f9e6c7b5ba5c1bf483d8795  IV87279s7a.160901.epkg.Z key_w_csum
        e2569c0033e79fe3b9072c4eb3b3fbb0e577ea78fa2d821aa9cfd9dff0728d01  IV87419m5d.160823.epkg.Z key_w_csum
        64446d618397eb759b5aadd3135ec0e54d1f7e7fcfccdb500812fd799f79580f  IV87419m6a.160823.epkg.Z key_w_csum
        2cfc0ac55e6bc5b0ade14e414004a113c49d63b8d9c0d1f9bb8f836ad402fde5  IV87419m7a.160901.epkg.Z key_w_csum
        84f88fe1d81fdab21cbb1bca5c2cd0b9efd088123d5689cff2fc3070882269bb  IV87420m0a.160825.epkg.Z key_w_csum
        0512a77d83b978e8c0e0e0400f170dedf5ff05544256b9119b3dd8010a80eaca  IV87420m2a.160901.epkg.Z key_w_csum
        3681bf06ea3454bb988d0520a06aafe4c3a3dc2f0fc0e4d789f7b88cf44e70b1  IV87614m9a.160901.epkg.Z key_w_csum
        86789563d0acf449d75f6b35fb8df94cd0af5d61eab05644454756960c13e5e0  IV87615m5a.160823.epkg.Z key_w_csum
        f18ba3b6ac181feae7dc94b783e69ca22b7e747b60ebce5e24898807c011e92a  IV87615m6a.160824.epkg.Z key_w_csum
        4163cd0088894bd035d0cc2484c7139363208f815daa603855ff16a49283e704  IV87615m7a.160901.epkg.Z key_w_csum
        8f63ff8609fa769c89b0ce5e37a3b2292fdc930f9c4a75b2cb75e4073756f0ff  IV87939m0b.160830.epkg.Z key_w_csum
        b70ff05f8ebb43e26535a2005630903a8b2efe035071a8ef16fe773cadedfcb9  IV87939m2a.160901.epkg.Z key_w_csum


        These sums should match exactly. The OpenSSL signatures in the tar
        file and on this advisory can also be used to verify the
        integrity of the fixes.  If the sums or signatures cannot be
        confirmed, contact IBM AIX Security at
        [email protected] and describe the discrepancy.
        
        openssl dgst -sha1 -verify <pubkey_file> -signature <advisory_file>.sig <advisory_file>

        openssl dgst -sha1 -verify <pubkey_file> -signature <ifix_file>.sig <ifix_file>

        Published advisory OpenSSL signature file location:

        http://aix.software.ibm.com/aix/efixes/security/ntp_advisory7.asc.sig
        https://aix.software.ibm.com/aix/efixes/security/ntp_advisory7.asc.sig
        ftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory7.asc.sig 

    C. FIX AND INTERIM FIX INSTALLATION

        IMPORTANT: If possible, it is recommended that a mksysb backup
        of the system be created.  Verify it is both bootable and
        readable before proceeding.

        The fix will not take affect until any running xntpd servers
        have been stopped and restarted with the  following commands:

            stopsrc -s xntpd
            startsrc -s xntpd

        To preview a fix installation:

        installp -a -d fix_name -p all  # where fix_name is the name of the
                                    # fix package being previewed.
        To install a fix package:

        installp -a -d fix_name -X all  # where fix_name is the name of the
                                    # fix package being installed.

        After installation the ntp daemon must be restarted:

        stopsrc -s xntpd

        startsrc -s xntpd

        Interim fixes have had limited functional and regression
        testing but not the full regression testing that takes place
        for Service Packs; however, IBM does fully support them.

        Interim fix management documentation can be found at:

        http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html

        To preview an interim fix installation:

        emgr -e ipkg_name -p         # where ipkg_name is the name of the
                                     # interim fix package being previewed.

        To install an interim fix package:

        emgr -e ipkg_name -X         # where ipkg_name is the name of the
                                     # interim fix package being installed.

WORKAROUNDS AND MITIGATIONS:

    None.

===============================================================================

CONTACT US:

Note: Keywords labeled as KEY in this document are used for parsing
purposes.

If you would like to receive AIX Security Advisories via email,
please visit "My Notifications":

    http://www.ibm.com/support/mynotifications

To view previously issued advisories, please visit:

    http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq

Comments regarding the content of this announcement can be
directed to:

    [email protected]

To obtain the OpenSSL public key that can be used to verify the
signed advisories and ifixes:

    Download the key from our web page:

http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt

To obtain the PGP public key that can be used to communicate
securely with the AIX Security Team via [email protected] you
can either:

    A. Download the key from our web page:

http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt

    B. Download the key from a PGP Public Key Server. The key ID is:

        0x28BFAA12

Please contact your local IBM AIX support center for any
assistance.

REFERENCES:

Complete CVSS v3 Guide:  http://www.first.org/cvss/user-guide
On-line Calculator v3:
    http://www.first.org/cvss/calculator/3.0

ACKNOWLEDGEMENTS:

None 

CHANGE HISTORY:

First Issued: Tue Sep  6 09:07:16 CDT 2016

| Updated: Tue Sep 13 08:23:22 CDT 2016
| Update: Changed the impacted upper level filesets listed for NTPv4.

===============================================================================

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an “industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.