7.7 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.93 High
EPSS
Percentile
99.0%
ntp_advisory7.asc: Version 2
Version 2 Issued: Tue Sep 13 08:23:22 CDT 2016
Version 2 Changes: Changed the impacted upper level filesets listed for
NTPv4. The new levels should match the prereqs as listed in the
iFixes.
IBM SECURITY ADVISORY
First Issued: Tue Sep 6 09:07:16 CDT 2016
|Updated: Tue Sep 13 08:23:22 CDT 2016
|Update: Changed the impacted upper level filesets listed for NTPv4.
The most recent version of this document is available here:
http://aix.software.ibm.com/aix/efixes/security/ntp_advisory7.asc
https://aix.software.ibm.com/aix/efixes/security/ntp_advisory7.asc
ftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory7.asc
Security Bulletin: Vulnerabilities in NTP affect AIX
CVE-2015-7974 CVE-2016-1550 CVE-2016-1551 CVE-2016-2517 CVE-2016-2518
CVE-2016-2519 CVE-2016-1547 CVE-2016-4957 CVE-2016-4953 CVE-2016-4954
CVE-2016-4955
===============================================================================
SUMMARY:
There are multiple vulnerabilities in NTPv3 and NTPv4 that impact AIX.
===============================================================================
VULNERABILITY DETAILS:
NTPv3 and NTPv4 are vulnerable to:
CVEID: CVE-2015-7974
https://vulners.com/cve/CVE-2015-7974
DESCRIPTION: NTP could allow a remote authenticated attacker to conduct
spoofing attacks, caused by a missing key check. An attacker could
exploit this vulnerability to impersonate a peer.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/110019 for more
information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N)
CVEID: CVE-2016-1550
https://vulners.com/cve/CVE-2016-1550
DESCRIPTION: NTP could allow a local attacker to bypass security
restrictions, caused by the failure to use a constant-time memory
comparison function when validating the authentication digest on
incoming packets. By sending a specially crafted packet with an
authentication payload, an attacker could exploit this vulnerability
to conduct a timing attack to compute the value of the valid
authentication digest.
CVSS Base Score: 4.0
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/112742 for more
information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2016-1551
https://vulners.com/cve/CVE-2016-1551
DESCRIPTION: While the majority OSes implement martian packet filtering in
their network stack, at least regarding 127.0.0.0/8, a rare few will
allow packets claiming to be from 127.0.0.0/8 that arrive over
physical network. On these OSes, if ntpd is configured to use a
reference clock an attacker can inject packets over the network that
look like they are coming from that reference clock.
CVSS Base Score: 3.7
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/112743 for more
information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2016-2517
https://vulners.com/cve/CVE-2016-2517
DESCRIPTION: If ntpd was expressly configured to allow for remote
configuration, a malicious user who knows the controlkey for ntpq or
the requestkey for ntpdc (if mode7 is expressly enabled) can create a
session with ntpd and then send a crafted packet to ntpd that will
change the value of the trustedkey, controlkey, or requestkey to a
value that will prevent any subsequent authentication with ntpd until
ntpd is restarted.
CVSS Base Score: 4.2
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/112745 for more
information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2016-2518
https://vulners.com/cve/CVE-2016-2518
DESCRIPTION: NTP is vulnerable to a denial of service, caused by an error
when using a specially crafted packet to create a peer association
with hmode > 7. An attacker could exploit this vulnerability to
cause the MATCH_ASSOC() function to trigger an out-of-bounds read.
CVSS Base Score: 2.0
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/112746 for more
information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L)
CVEID: CVE-2016-2519
https://vulners.com/cve/CVE-2016-2519
DESCRIPTION: NTP is vulnerable to a denial of service, caused by the
failure to always check the ctl_getitem() function return value. By
sending an overly large value, an attacker could exploit this
vulnerability to cause a denial of service.
CVSS Base Score: 4.2
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/112747 for more
information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H)
NTPv4 is additionally vulnerable to:
CVEID: CVE-2016-1547
https://vulners.com/cve/CVE-2016-1547
DESCRIPTION: NTP is vulnerable to a denial of service, caused by the
demobilization of a preemptable client association. By sending
specially crafted crypto NAK packets, an attacker could exploit this
vulnerability to cause a denial of service.
CVSS Base Score: 3.7
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/112739 for more
information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2016-4957
https://vulners.com/cve/CVE-2016-4957
DESCRIPTION: NTP is vulnerable to a denial of service, caused by the
improper handling of packets. By sending specially crafted
CRYPTO_NAK packets, an attacker could exploit this vulnerability to
cause ntpd to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/113695 for more
information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2016-4953
https://vulners.com/cve/CVE-2016-4953
DESCRIPTION: NTP is vulnerable to a denial of service, caused by the
improper handling of packets. By sending specially crafted
CRYPTO_NAK packets to an ephemeral peer target prior to a response
being sent, a remote attacker could exploit this vulnerability to
demobilize the ephemeral association.
CVSS Base Score: 3.7
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/113696 for more
information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2016-4954
https://vulners.com/cve/CVE-2016-4954
DESCRIPTION: NTP is vulnerable to a denial of service, caused by the
improper handling of packets. By sending spoofed server packets with
correct origin timestamps, a remote attacker could exploit this
vulnerability to cause a false leap indication to be set.
CVSS Base Score: 3.7
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/113697 for more
information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2016-4955
https://vulners.com/cve/CVE-2016-4955
DESCRIPTION: NTP is vulnerable to a denial of service, caused by the
improper handling of packets. By sending spoofed CRYPTO_NAK or a bad
MAC packets with correct origin timestamps, a remote attacker could
exploit this vulnerability to cause the autokey association to reset.
CVSS Base Score: 3.7
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/113698 for more
information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
AFFECTED PRODUCTS AND VERSIONS:
AIX 5.3, 6.1, 7.1, 7.2
VIOS 2.2.x
The following fileset levels are vulnerable:
key_fileset = aix
For NTPv3:
Fileset Lower Level Upper Level KEY PRODUCT(S)
-----------------------------------------------------------------
bos.net.tcp.client 5.3.12.0 5.3.12.10 key_w_fs NTPv3
bos.net.tcp.client 6.1.9.0 6.1.9.102 key_w_fs NTPv3
bos.net.tcp.client 7.1.3.0 7.1.3.47 key_w_fs NTPv3
bos.net.tcp.client 7.1.4.0 7.1.4.1 key_w_fs NTPv3
bos.net.tcp.ntp 7.2.0.0 7.2.0.2 key_w_fs NTPv3
bos.net.tcp.ntpd 7.2.0.0 7.2.0.2 key_w_fs NTPv3
For NTPv4:
Fileset Lower Level Upper Level KEY PRODUCT(S)
-----------------------------------------------------------------
| ntp.rte 6.1.6.0 6.1.6.7 key_w_fs NTPv4
| ntp.rte 7.1.0.0 7.1.0.7 key_w_fs NTPv4
Note: to find out whether the affected filesets are installed
on your systems, refer to the lslpp command found in AIX user's guide.
Example: lslpp -L | grep -i ntp.rte
REMEDIATION:
A. APARS
IBM has assigned the following APARs to this problem:
For NTPv3:
AIX Level APAR Availability SP KEY PRODUCT(S)
------------------------------------------------------------
5.3.12 IV87614 N/A key_w_apar NTPv3
6.1.9 IV87419 11/11/16 SP8 key_w_apar NTPv3
7.1.3 IV87615 1/27/17 SP8 key_w_apar NTPv3
7.1.4 IV87420 11/11/16 SP3 key_w_apar NTPv3
7.2.0 IV87939 1/27/17 SP3 key_w_apar NTPv3
For NTPv4:
AIX Level APAR Availability SP KEY PRODUCT(S)
------------------------------------------------------------
6.1.9 IV87278 11/11/16 SP8 key_w_apar NTPv4
7.1.3 IV87279 1/27/17 SP8 key_w_apar NTPv4
7.1.4 IV87279 11/11/16 SP3 key_w_apar NTPv4
7.2.0 IV87279 1/27/17 SP3 key_w_apar NTPv4
Subscribe to the APARs here:
http://www.ibm.com/support/docview.wss?uid=isg1IV87614
http://www.ibm.com/support/docview.wss?uid=isg1IV87419
http://www.ibm.com/support/docview.wss?uid=isg1IV87615
http://www.ibm.com/support/docview.wss?uid=isg1IV87420
http://www.ibm.com/support/docview.wss?uid=isg1IV87939
http://www.ibm.com/support/docview.wss?uid=isg1IV87278
http://www.ibm.com/support/docview.wss?uid=isg1IV87279
By subscribing, you will receive periodic email alerting you
to the status of the APAR, and a link to download the fix once
it becomes available.
B. FIXES
Fixes are available.
The fixes can be downloaded via ftp or http from:
ftp://aix.software.ibm.com/aix/efixes/security/ntp_fix7.tar
http://aix.software.ibm.com/aix/efixes/security/ntp_fix7.tar
https://aix.software.ibm.com/aix/efixes/security/ntp_fix7.tar
The link above is to a tar file containing this signed
advisory, fix packages, and OpenSSL signatures for each package.
The fixes below include prerequisite checking. This will
enforce the correct mapping between the fixes and AIX
Technology Levels.
For NTPv3:
AIX Level Interim Fix (*.Z) KEY PRODUCT(S)
----------------------------------------------------------
5.3.12.9 IV87614m9a.160901.epkg.Z key_w_fix NTPv3
6.1.9.5 IV87419m5d.160823.epkg.Z key_w_fix NTPv3
6.1.9.6 IV87419m6a.160823.epkg.Z key_w_fix NTPv3
6.1.9.7 IV87419m7a.160901.epkg.Z key_w_fix NTPv3
7.1.3.5 IV87615m5a.160823.epkg.Z key_w_fix NTPv3
7.1.3.6 IV87615m6a.160824.epkg.Z key_w_fix NTPv3
7.1.3.7 IV87615m7a.160901.epkg.Z key_w_fix NTPv3
7.1.4.0 IV87420m0a.160825.epkg.Z key_w_fix NTPv3
7.1.4.1 IV87420m0a.160825.epkg.Z key_w_fix NTPv3
7.1.4.2 IV87420m2a.160901.epkg.Z key_w_fix NTPv3
7.2.0.0 IV87939m0b.160830.epkg.Z key_w_fix NTPv3
7.2.0.1 IV87939m0b.160830.epkg.Z key_w_fix NTPv3
7.2.0.2 IV87939m2a.160901.epkg.Z key_w_fix NTPv3
VIOS Level Interim Fix (*.Z) KEY PRODUCT(S)
-----------------------------------------------------------
2.2.4.0 IV87419m6a.160823.epkg.Z key_w_fix NTPv3
2.2.4.2x IV87419m7a.160901.epkg.Z key_w_fix NTPv3
For NTPv4:
AIX Level Interim Fix (*.Z) KEY PRODUCT(S)
----------------------------------------------------------
6.1.x IV87278s7a.160901.epkg.Z key_w_fix NTPv4
7.1.x IV87279s7a.160901.epkg.Z key_w_fix NTPv4
7.2.x IV87279s7a.160901.epkg.Z key_w_fix NTPv4
VIOS Level Interim Fix (*.Z) KEY PRODUCT(S)
-----------------------------------------------------------
2.2.x IV87278s7a.160901.epkg.Z key_w_fix NTPv4
All fixes included are cumulative and address previously
issued AIX NTP security bulletins with respect to SP and TL.
To extract the fixes from the tar file:
tar xvf ntp_fix7.tar
cd ntp_fix7
Verify you have retrieved the fixes intact:
The checksums below were generated using the
"openssl dgst -sha256 file" command as the followng:
openssl dgst -sha256 filename KEY
-----------------------------------------------------------------------------------------------------
42f8a7cc469eb8db7b447b8bf37561ff1ac5b5b98f9ceac9cb5d6c31797a084f IV87278s7a.160901.epkg.Z key_w_csum
74b64a7d219f1bb91e9979191b329e74ebd3ae453f9e6c7b5ba5c1bf483d8795 IV87279s7a.160901.epkg.Z key_w_csum
e2569c0033e79fe3b9072c4eb3b3fbb0e577ea78fa2d821aa9cfd9dff0728d01 IV87419m5d.160823.epkg.Z key_w_csum
64446d618397eb759b5aadd3135ec0e54d1f7e7fcfccdb500812fd799f79580f IV87419m6a.160823.epkg.Z key_w_csum
2cfc0ac55e6bc5b0ade14e414004a113c49d63b8d9c0d1f9bb8f836ad402fde5 IV87419m7a.160901.epkg.Z key_w_csum
84f88fe1d81fdab21cbb1bca5c2cd0b9efd088123d5689cff2fc3070882269bb IV87420m0a.160825.epkg.Z key_w_csum
0512a77d83b978e8c0e0e0400f170dedf5ff05544256b9119b3dd8010a80eaca IV87420m2a.160901.epkg.Z key_w_csum
3681bf06ea3454bb988d0520a06aafe4c3a3dc2f0fc0e4d789f7b88cf44e70b1 IV87614m9a.160901.epkg.Z key_w_csum
86789563d0acf449d75f6b35fb8df94cd0af5d61eab05644454756960c13e5e0 IV87615m5a.160823.epkg.Z key_w_csum
f18ba3b6ac181feae7dc94b783e69ca22b7e747b60ebce5e24898807c011e92a IV87615m6a.160824.epkg.Z key_w_csum
4163cd0088894bd035d0cc2484c7139363208f815daa603855ff16a49283e704 IV87615m7a.160901.epkg.Z key_w_csum
8f63ff8609fa769c89b0ce5e37a3b2292fdc930f9c4a75b2cb75e4073756f0ff IV87939m0b.160830.epkg.Z key_w_csum
b70ff05f8ebb43e26535a2005630903a8b2efe035071a8ef16fe773cadedfcb9 IV87939m2a.160901.epkg.Z key_w_csum
These sums should match exactly. The OpenSSL signatures in the tar
file and on this advisory can also be used to verify the
integrity of the fixes. If the sums or signatures cannot be
confirmed, contact IBM AIX Security at
[email protected] and describe the discrepancy.
openssl dgst -sha1 -verify <pubkey_file> -signature <advisory_file>.sig <advisory_file>
openssl dgst -sha1 -verify <pubkey_file> -signature <ifix_file>.sig <ifix_file>
Published advisory OpenSSL signature file location:
http://aix.software.ibm.com/aix/efixes/security/ntp_advisory7.asc.sig
https://aix.software.ibm.com/aix/efixes/security/ntp_advisory7.asc.sig
ftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory7.asc.sig
C. FIX AND INTERIM FIX INSTALLATION
IMPORTANT: If possible, it is recommended that a mksysb backup
of the system be created. Verify it is both bootable and
readable before proceeding.
The fix will not take affect until any running xntpd servers
have been stopped and restarted with the following commands:
stopsrc -s xntpd
startsrc -s xntpd
To preview a fix installation:
installp -a -d fix_name -p all # where fix_name is the name of the
# fix package being previewed.
To install a fix package:
installp -a -d fix_name -X all # where fix_name is the name of the
# fix package being installed.
After installation the ntp daemon must be restarted:
stopsrc -s xntpd
startsrc -s xntpd
Interim fixes have had limited functional and regression
testing but not the full regression testing that takes place
for Service Packs; however, IBM does fully support them.
Interim fix management documentation can be found at:
http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html
To preview an interim fix installation:
emgr -e ipkg_name -p # where ipkg_name is the name of the
# interim fix package being previewed.
To install an interim fix package:
emgr -e ipkg_name -X # where ipkg_name is the name of the
# interim fix package being installed.
WORKAROUNDS AND MITIGATIONS:
None.
===============================================================================
CONTACT US:
Note: Keywords labeled as KEY in this document are used for parsing
purposes.
If you would like to receive AIX Security Advisories via email,
please visit "My Notifications":
http://www.ibm.com/support/mynotifications
To view previously issued advisories, please visit:
http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq
Comments regarding the content of this announcement can be
directed to:
[email protected]
To obtain the OpenSSL public key that can be used to verify the
signed advisories and ifixes:
Download the key from our web page:
http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt
To obtain the PGP public key that can be used to communicate
securely with the AIX Security Team via [email protected] you
can either:
A. Download the key from our web page:
http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt
B. Download the key from a PGP Public Key Server. The key ID is:
0x28BFAA12
Please contact your local IBM AIX support center for any
assistance.
REFERENCES:
Complete CVSS v3 Guide: http://www.first.org/cvss/user-guide
On-line Calculator v3:
http://www.first.org/cvss/calculator/3.0
ACKNOWLEDGEMENTS:
None
CHANGE HISTORY:
First Issued: Tue Sep 6 09:07:16 CDT 2016
| Updated: Tue Sep 13 08:23:22 CDT 2016
| Update: Changed the impacted upper level filesets listed for NTPv4.
===============================================================================
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an “industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
7.7 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.93 High
EPSS
Percentile
99.0%