Summary

There are vulnerabilities in OpenSSL used by AIX.

Vulnerability Details

CVEID: CVE-2018-0734 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a timing side channel attack in the DSA signature algorithm. An attacker could exploit this vulnerability using variations in the signing algorithm to recover the private key.
CVSS Base Score: 3.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152085&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2018-5407 DESCRIPTION: Multiple SMT/Hyper-Threading architectures and processors could allow a local attacker to obtain sensitive information, caused by execution engine sharing on Simultaneous Multithreading (SMT) architecture. By using the PortSmash new side-channel attack, an attacker could run a malicious process next to legitimate processes using the architectures parallel thread running capabilities to leak encrypted data from the CPU’s internal processes. Note: This vulnerability is known as PortSmash.
CVSS Base Score: 5.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152484&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

AIX 5.3, 6.1, 7.1, 7.2
VIOS 2.2.x

The following fileset levels are vulnerable:

key_fileset = osrcaix

Fileset Lower Level Upper Level KEY
------------------------------------------------------
openssl.base 1.0.2.500 1.0.2.1600 key_w_fs
openssl.base 20.13.102.1000 20.16.102.1600 key_w_fs

Note:
A. 0.9.8, 1.0.1 OpenSSL versions are out-of-support. Customers are advised to upgrade to currently supported OpenSSL 1.0.2 version.

B. Latest level of OpenSSL fileset is available from the web download site:
https://www-01.ibm.com/marketing/iwm/iwm/web/pickUrxNew.do?source=aixbp&amp;S_PKG=openssl

To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in the AIX user’s guide.

Example: lslpp -L | grep -i openssl.base

Remediation/Fixes

A. FIXES

The fixes can be downloaded via ftp or http from:

ftp://aix.software.ibm.com/aix/efixes/security/openssl_fix29.tar
http://aix.software.ibm.com/aix/efixes/security/openssl_fix29.tar
https://aix.software.ibm.com/aix/efixes/security/openssl_fix29.tar

The links above are to a tar file containing this signed advisory, fix packages, and OpenSSL signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels.

Note that the tar file contains Interim fixes that are based on OpenSSL version, and AIX OpenSSL fixes are cumulative.

You must be on the ‘prereq for installation’ level before applying the interim fix. This may require installing a new level(prereq version) first.

AIX Level Interim Fix (*.Z) Fileset Name(prereq for installation) KEY
--------------------------------------------------------------------------------------------
5.3, 6.1, 7.1, 7.2 102p_fix.181127.epkg.Z openssl.base(1.0.2.1600) key_w_fix
5.3, 6.1, 7.1, 7.2 fips_102p.181127.epkg.Z openssl.base(20.16.102.1600) key_w_fix

VIOS Level Interim Fix (*.Z) Fileset Name(prereq for installation) KEY
--------------------------------------------------------------------------------------------
2.2.x 102p_fix.181127.epkg.Z openssl.base(1.0.2.1600) key_w_fix
2.2.x fips_102p.181127.epkg.Z openssl.base(20.16.102.1600) key_w_fix

To extract the fixes from the tar file:

tar xvf openssl_fix29.tar
cd openssl_fix29

Verify you have retrieved the fixes intact:

The checksums below were generated using the “openssl dgst -sha256 file” command as the followng:

openssl dgst -sha256 filename KEY
-----------------------------------------------------------------------------------------------------
4f68017e5ff53cb74e0f6e30fc0410193dd1641e7997a5a9e4bc630d47666eaf 102p_fix.181127.epkg.Z key_w_csum
42714d3f644d4b3250314721ae2e32f0680fea264f9b358a50f7fe9c07713b38 fips_102p.181127.epkg.Z key_w_csum

These sums should match exactly. The OpenSSL signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes. If the sums or signatures cannot be confirmed, contact IBM AIX Support at https://ibm.com/support/ and describe the discrepancy.

openssl dgst -sha1 -verify <pubkey_file> -signature <advisory_file>.sig <advisory_file>

openssl dgst -sha1 -verify <pubkey_file> -signature <ifix_file>.sig <ifix_file>

Published advisory OpenSSL signature file location:

http://aix.software.ibm.com/aix/efixes/security/openssl_advisory29.asc.sig
https://aix.software.ibm.com/aix/efixes/security/openssl_advisory29.asc.sig
ftp://aix.software.ibm.com/aix/efixes/security/openssl_advisory29.asc.sig

B. FIX AND INTERIM FIX INSTALLATION

Interim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; however, IBM does fully support them.

Interim fix management documentation can be found at:

http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html

To preview an interim fix installation:

emgr -e ipkg_name -p # where ipkg_name is the name of the

interim fix package being previewed.

To install an interim fix package:

emgr -e ipkg_name -X # where ipkg_name is the name of the

interim fix package being installed.

Workarounds and Mitigations

None.