6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
7.1 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:N/I:N/A:C
0.022 Low
EPSS
Percentile
89.2%
IBM SECURITY ADVISORY
First Issued: Mon Feb 13 15:32:47 CST 2017
|Updated: Mon Oct 2 10:47:12 CDT 2017
|Update 2: Removed bos.net.tcp.ntp from the impacted fileset list for
| AIX 7200-01-02. Fileset bos.net.tcp.ntpd is still listed as impacted
| for AIX 7200-01-02.
The most recent version of this document is available here:
http://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc
https://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc
ftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc
Security Bulletin: Vulnerabilities in NTP affect AIX
CVE-2016-7427 CVE-2016-7428 CVE-2016-9310 CVE-2016-9311
===============================================================================
SUMMARY:
There are multiple vulnerabilities in NTPv3 and NTPv4 that impact AIX.
===============================================================================
VULNERABILITY DETAILS:
NTPv3 and NTPv4 are vulnerable to:
CVEID: CVE-2016-7427
https://vulners.com/cve/CVE-2016-7427
DESCRIPTION: NTP is vulnerable to a denial of service, caused by an error
in broadcast mode replay prevention functionality. By sending specially
crafted NTP packets, a local attacker could exploit this vulnerability to
cause a denial of service.
CVSS Base Score: 4
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/119088 for more
information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2016-7428
https://vulners.com/cve/CVE-2016-7428
DESCRIPTION: NTP is vulnerable to a denial of service, caused by an error
in broadcast mode poll interval enforcement functionality. By sending
specially crafted NTP packets, a remote attacker from within the local
network could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 4.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/119089 for more
information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2016-9310
https://vulners.com/cve/CVE-2016-9310
DESCRIPTION: NTP is vulnerable to a denial of service, caused by an error
in the control mode (mode 6) functionality. By sending specially crafted
control mode packets, a remote attacker could exploit this vulnerability
to obtain sensitive information and cause the application to crash.
CVSS Base Score: 6.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/119087 for more
information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)
CVEID: CVE-2016-9311
https://vulners.com/cve/CVE-2016-9311
DESCRIPTION: NTP is vulnerable to a denial of service, caused by a NULL
pointer dereference when trap service has been enabled. By sending specially
crafted packets, a remote attacker could exploit this vulnerability to cause
the application to crash.
CVSS Base Score: 4.4
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/119086 for more
information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H)
AFFECTED PRODUCTS AND VERSIONS:
AIX 5.3, 6.1, 7.1, 7.2
VIOS 2.2
The following fileset levels are vulnerable:
key_fileset = aix
For NTPv3:
Fileset Lower Level Upper Level KEY PRODUCT(S)
------------------------------------------------------------------
bos.net.tcp.client 5.3.12.0 5.3.12.10 key_w_fs NTPv3
bos.net.tcp.client 6.1.9.0 6.1.9.200 key_w_fs NTPv3
bos.net.tcp.client 7.1.3.0 7.1.3.48 key_w_fs NTPv3
bos.net.tcp.client 7.1.4.0 7.1.4.30 key_w_fs NTPv3
bos.net.tcp.ntp 7.2.0.0 7.2.0.2 key_w_fs NTPv3
bos.net.tcp.ntpd 7.2.0.0 7.2.0.2 key_w_fs NTPv3
bos.net.tcp.ntpd 7.2.1.0 7.2.1.0 key_w_fs NTPv3
For NTPv4:
Fileset Lower Level Upper Level KEY PRODUCT(S)
-----------------------------------------------------------------
ntp.rte 6.1.6.0 6.1.6.7 key_w_fs NTPv4
ntp.rte 7.1.0.0 7.1.0.7 key_w_fs NTPv4
Note: To find out whether the affected filesets are installed
on your systems, refer to the lslpp command found in AIX user's
guide.
Example: lslpp -L | grep -i ntp.rte
REMEDIATION:
A. APARS
IBM has assigned the following APARs to this problem:
For NTPv3:
AIX Level APAR Availability SP KEY PRODUCT(S)
------------------------------------------------------------
5.3.12 IV92194 NA key_w_apar NTPv3
6.1.9 IV91803 ** SP9 key_w_apar NTPv3
7.1.3 IV92193 ** SP9 key_w_apar NTPv3
7.1.4 IV91951 ** SP4 key_w_apar NTPv3
7.2.0 IV92192 ** SP4 key_w_apar NTPv3
7.2.1 IV92067 ** SP2 key_w_apar NTPv3
For NTPv4:
AIX Level APAR Availability SP KEY PRODUCT(S)
------------------------------------------------------------
6.1.9 IV92287 ** SP9 key_w_apar NTPv4
7.1.3 IV92126 ** SP9 key_w_apar NTPv4
7.1.4 IV92126 ** SP4 key_w_apar NTPv4
7.2.0 IV92126 ** SP4 key_w_apar NTPv4
7.2.1 IV92126 ** SP2 key_w_apar NTPv4
** Please refer to AIX support lifecycle information page for availability
of Service Packs:
http://www-01.ibm.com/support/docview.wss?uid=isg3T1012517
Subscribe to the APARs here:
http://www.ibm.com/support/docview.wss?uid=isg1IV91803
http://www.ibm.com/support/docview.wss?uid=isg1IV91951
http://www.ibm.com/support/docview.wss?uid=isg1IV92192
http://www.ibm.com/support/docview.wss?uid=isg1IV92287
http://www.ibm.com/support/docview.wss?uid=isg1IV92126
http://www.ibm.com/support/docview.wss?uid=isg1IV92194
http://www.ibm.com/support/docview.wss?uid=isg1IV92193
http://www.ibm.com/support/docview.wss?uid=isg1IV92067
https://www.ibm.com/support/docview.wss?uid=isg1IV91803
https://www.ibm.com/support/docview.wss?uid=isg1IV91951
https://www.ibm.com/support/docview.wss?uid=isg1IV92192
https://www.ibm.com/support/docview.wss?uid=isg1IV92287
https://www.ibm.com/support/docview.wss?uid=isg1IV92126
https://www.ibm.com/support/docview.wss?uid=isg1IV92194
https://www.ibm.com/support/docview.wss?uid=isg1IV92193
https://www.ibm.com/support/docview.wss?uid=isg1IV92067
By subscribing, you will receive periodic email alerting you
to the status of the APAR, and a link to download the fix once
it becomes available.
B. FIXES
Fixes are available.
The fixes can be downloaded via ftp or http from:
ftp://aix.software.ibm.com/aix/efixes/security/ntp_fix8.tar
http://aix.software.ibm.com/aix/efixes/security/ntp_fix8.tar
https://aix.software.ibm.com/aix/efixes/security/ntp_fix8.tar
The links above are to a tar file containing this signed
advisory, interim fixes, and OpenSSL signatures for each interim fix.
The fixes below include prerequisite checking. This will
enforce the correct mapping between the fixes and AIX
Technology Levels.
For NTPv3:
AIX Level Interim Fix (*.Z) KEY PRODUCT(S)
----------------------------------------------------------
5.3.12.9 IV92194m9a.170113.epkg.Z key_w_fix NTPv3
6.1.9.6 IV91803m6a.170112.epkg.Z key_w_fix NTPv3
6.1.9.7 IV91803m6a.170112.epkg.Z key_w_fix NTPv3
6.1.9.8 IV91803m6a.170112.epkg.Z key_w_fix NTPv3
7.1.3.5 IV92193m5a.170112.epkg.Z key_w_fix NTPv3
7.1.3.6 IV92193m5a.170112.epkg.Z key_w_fix NTPv3
7.1.3.7 IV92193m5a.170112.epkg.Z key_w_fix NTPv3
7.1.3.8 IV92193m5a.170112.epkg.Z key_w_fix NTPv3
7.1.4.1 IV91951m3a.170113.epkg.Z key_w_fix NTPv3
7.1.4.2 IV91951m3a.170113.epkg.Z key_w_fix NTPv3
7.1.4.3 IV91951m3a.170113.epkg.Z key_w_fix NTPv3
7.2.0.0 IV92192m2a.170112.epkg.Z key_w_fix NTPv3
7.2.0.1 IV92192m2a.170112.epkg.Z key_w_fix NTPv3
7.2.0.2 IV92192m2a.170112.epkg.Z key_w_fix NTPv3
7.2.1.0 IV92067s1a.170112.epkg.Z key_w_fix NTPv3
7.2.1.1 IV92067s1a.170112.epkg.Z key_w_fix NTPv3
VIOS Level Interim Fix (*.Z) KEY PRODUCT(S)
-----------------------------------------------------------
2.2.4.2x IV91803m6a.170112.epkg.Z key_w_fix NTPv3
For NTPv4:
AIX Level Interim Fix (*.Z) KEY PRODUCT(S)
----------------------------------------------------------
6.1.x IV92287m5a.170113.epkg.Z key_w_fix NTPv4
7.1.x IV92126m3a.170106.epkg.Z key_w_fix NTPv4
7.2.x IV92126m3a.170106.epkg.Z key_w_fix NTPv4
All fixes included are cumulative and address previously
issued AIX NTP security bulletins with respect to SP and TL.
To extract the fixes from the tar file:
tar xvf ntp_fix8.tar
cd ntp_fix8
Verify you have retrieved the fixes intact:
The checksums below were generated using the
"openssl dgst -sha256 <filename>" command as the following:
openssl dgst -sha256 filename KEY
-----------------------------------------------------------------------------------------------------
70044311eab50e798b1a0756b8f7fef368b65ae79c03496c1fbcf5ba8da7b176 IV91803m6a.170112.epkg.Z key_w_csum
8ef346dbd1d7f3d8e9c03b21fa6e2cd1dca88de9d0951675a4787f34bf892f30 IV91951m3a.170113.epkg.Z key_w_csum
f6105a97e957651e8a464cfd6edd0ad50a74ba9dffb974925612f68d21fa7857 IV92192m2a.170112.epkg.Z key_w_csum
f1ab705600cc8b08dd11a6e12d1b32a2ec89b988557502ffffd6c06dd53936b9 IV92287m5a.170113.epkg.Z key_w_csum
57c9db9c53098f21e837a407e2b2dead1c1c754d44812eb0392d050e697ae2bd IV92126m3a.170106.epkg.Z key_w_csum
f8d9c43a2ae724a7a1e69caab5973aed0bb4b6ddc72bc57d038fad6faa680fa1 IV92194m9a.170113.epkg.Z key_w_csum
558db7a325e5d6733bac66f9b01a9dee4a93826163a50992ee99c1cb9f7dfe70 IV92193m5a.170112.epkg.Z key_w_csum
eee9aec25443fa496168f7c4cfb289dbfaeed96c8be0fc3cb57b888733e4f9d4 IV92067s1a.170112.epkg.Z key_w_csum
These sums should match exactly. The OpenSSL signatures in the tar
file and on this advisory can also be used to verify the
integrity of the fixes. If the sums or signatures cannot be
confirmed, contact IBM AIX Security at
[email protected] and describe the discrepancy.
openssl dgst -sha1 -verify <pubkey_file> -signature <advisory_file>.sig <advisory_file>
openssl dgst -sha1 -verify <pubkey_file> -signature <ifix_file>.sig <ifix_file>
Published advisory OpenSSL signature file location:
http://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc.sig
https://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc.sig
ftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc.sig
C. FIX AND INTERIM FIX INSTALLATION
IMPORTANT: If possible, it is recommended that a mksysb backup
of the system be created. Verify it is both bootable and
readable before proceeding.
The fix will not take affect until any running xntpd servers
have been stopped and restarted with the following commands:
stopsrc -s xntpd
startsrc -s xntpd
To preview a fix installation:
installp -a -d fix_name -p all # where fix_name is the name of the
# fix package being previewed.
To install a fix package:
installp -a -d fix_name -X all # where fix_name is the name of the
# fix package being installed.
After installation the ntp daemon must be restarted:
stopsrc -s xntpd
startsrc -s xntpd
Interim fixes have had limited functional and regression
testing but not the full regression testing that takes place
for Service Packs; however, IBM does fully support them.
Interim fix management documentation can be found at:
http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html
To preview an interim fix installation:
emgr -e ipkg_name -p # where ipkg_name is the name of the
# interim fix package being previewed.
To install an interim fix package:
emgr -e ipkg_name -X # where ipkg_name is the name of the
# interim fix package being installed.
WORKAROUNDS AND MITIGATIONS:
None.
===============================================================================
CONTACT US:
Note: Keywords labeled as KEY in this document are used for parsing
purposes.
If you would like to receive AIX Security Advisories via email,
please visit "My Notifications":
http://www.ibm.com/support/mynotifications
https://www.ibm.com/support/mynotifications
To view previously issued advisories, please visit:
http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq
https://www14.software.ibm.com/webapp/set2/subscriptions/onvdq
Comments regarding the content of this announcement can be
directed to:
[email protected]
To obtain the OpenSSL public key that can be used to verify the
signed advisories and ifixes:
Download the key from our web page:
http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt
https://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt
To obtain the PGP public key that can be used to communicate
securely with the AIX Security Team via [email protected] you
can either:
A. Download the key from our web page:
http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt
https://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt
B. Download the key from a PGP Public Key Server. The key ID is:
0x28BFAA12
Please contact your local IBM AIX support center for any
assistance.
REFERENCES:
Complete CVSS v3 Guide: http://www.first.org/cvss/user-guide
https://www.first.org/cvss/user-guide
On-line Calculator v3:
http://www.first.org/cvss/calculator/3.0
https://www.first.org/cvss/calculator/3.0
ACKNOWLEDGEMENTS:
None
CHANGE HISTORY:
First Issued: Mon Feb 13 15:32:47 CST 2017
Updated:Fri Feb 17 18:40:29 CST 2017
Update: New iFixes provided for NTPv3 in AIX 5.3.12.9,6.1.9.6,
6.1.9.8,7.1.3.5,7.1.3.6,7.1.3.7,7.1.3.8,7.1.4.3,7.2.0.0,7.2.0.2
7.2.1.0,7.2.1.1 and VIOS 2.2.4.x.
| Updated: Mon Oct 2 10:47:12 CDT 2017
| Update 2: Removed bos.net.tcp.ntp from the impacted fileset list for
| AIX 7200-01-02. Fileset bos.net.tcp.ntpd is still listed as impacted
| for AIX 7200-01-02.
===============================================================================
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an “industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
7.1 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:N/I:N/A:C
0.022 Low
EPSS
Percentile
89.2%