Security Bulletin: Network Time Protocol (NTP) vulnerability in AIX which is used by IBM OS Images in IBM PureApplication Systems (CVE-2016-9310)

Summary

There are vulnerabilities in the Network Time Protocol (NTP) in AIX that is used by the OS Images for IBM PureApplication Software Suite, IBM Bluemix Local System and IBM PureApplication System/Software

Vulnerability Details

CVEID: CVE-2016-9310**
DESCRIPTION:** NTP is vulnerable to a denial of service, caused by an error in the control mode (mode 6) functionality. By sending specially crafted control mode packets, a remote attacker could exploit this vulnerability to obtain sensitive information and cause the application to crash.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/119087 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)

Affected Products and Versions

IBM PureApplication System V2.1
IBM PureApplication System V2.2

Remediation/Fixes

Use workaround below.

Workarounds and Mitigations

The deployed AIX-based virtual machines on IBM PureApplication System types are affected. The solution is to apply the following workaround:

1. Edit the /etc/ntp.conf file to include the line:
restrict -4 default nomodify nopeer noquery notrap
restrict -6 default nomodify nopeer noquery notrap

2. Stop and restart the xntpd service:
stopsrc -s xntpd
startsrc -s xntpd