5.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
0.097 Low
EPSS
Percentile
94.8%
ntp_advisory6.asc: Version 6
Version 6 Issued: Tue Aug 16 11:41:45 CDT 2016
Version 6 Changes: Fix added for AIX 7.2.0.2 and is now included in the
tar file, ntp_fix6.tar.
AIX 7.2.0.2 iFix for NTPv3: IV83995s2b.160713.epkg.Z
IBM SECURITY ADVISORY
First Issued: Wed Jun 8 13:17:48 CDT 2016
|Updated: Tue Aug 16 11:41:45 CDT 2016
|Update: Added iFix for AIX 7.2.0.2.
The most recent version of this document is available here:
http://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc
https://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc
ftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc
Security Bulletin: Vulnerabilities in NTP affect AIX
CVE-2015-7973 CVE-2015-7977 CVE-2015-7979 CVE-2015-8158
CVE-2015-8139 CVE-2015-8140
===============================================================================
SUMMARY:
There are multiple vulnerabilities in NTP that impact AIX.
===============================================================================
VULNERABILITY DETAILS:
CVEID: CVE-2015-7973
https://vulners.com/cve/CVE-2015-7973
DESCRIPTION: NTP could allow a remote attacker to launch a replay attack.
An attacker could exploit this vulnerability using authenticated
broadcast mode packets to conduct a replay attack and gain
unauthorized access to the system.
CVSS Base Score: 5.4
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/110018 for more
information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)
CVEID: CVE-2015-7977
https://vulners.com/cve/CVE-2015-7977
DESCRIPTION: NTP is vulnerable to a denial of service, caused by a NULL
pointer dereference. By sending a specially crafted ntpdc reslist
command, an attacker could exploit this vulnerability to cause a
segmentation fault.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/110022 for more
information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2015-7979
https://vulners.com/cve/CVE-2015-7979
DESCRIPTION: NTP could allow a remote attacker to bypass security
restrictions. By sending specially crafted broadcast packets with bad
authentication, an attacker could exploit this vulnerability to cause
the target broadcast client to tear down the association with the
broadcast server.
CVSS Base Score: 6.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/110024 for more
information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)
CVEID: CVE-2015-8139
https://vulners.com/cve/CVE-2015-8139
DESCRIPTION: NTP could allow a remote attacker to obtain sensitive
information, caused by an origin leak in ntpq and ntpdc. An attacker
could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/110027 for more
information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2015-8140
https://vulners.com/cve/CVE-2015-8140
DESCRIPTION: NTP could allow a remote attacker to launch a replay attack.
An attacker could exploit this vulnerability using ntpq to conduct a
replay attack and gain unauthorized access to the system.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/110028 for more
information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2015-8158
https://vulners.com/cve/CVE-2015-8158
DESCRIPTION: NTP is vulnerable to a denial of service, caused by the
improper processing of incoming packets by ntpq. By sending specially
crafted data, an attacker could exploit this vulnerability to cause
the application to enter into an infinite loop.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/110026 for more
information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
AFFECTED PRODUCTS AND VERSIONS:
AIX 5.3, 6.1, 7.1, 7.2
VIOS 2.2.x
The following fileset levels are vulnerable:
key_fileset = aix
For NTPv3:
Fileset Lower Level Upper Level KEY PRODUCT(S)
-----------------------------------------------------------------
bos.net.tcp.client 5.3.12.0 5.3.12.10 key_w_fs NTPv3
bos.net.tcp.client 6.1.9.0 6.1.9.102 key_w_fs NTPv3
bos.net.tcp.client 7.1.3.0 7.1.3.47 key_w_fs NTPv3
bos.net.tcp.client 7.1.4.0 7.1.4.1 key_w_fs NTPv3
bos.net.tcp.ntp 7.2.0.0 7.2.0.2 key_w_fs NTPv3
bos.net.tcp.ntpd 7.2.0.0 7.2.0.2 key_w_fs NTPv3
For NTPv4:
Fileset Lower Level Upper Level KEY PRODUCT(S)
-----------------------------------------------------------------
ntp.rte 6.1.6.0 6.1.6.5 key_w_fs NTPv4
ntp.rte 7.1.0.0 7.1.0.5 key_w_fs NTPv4
Note: to find out whether the affected filesets are installed
on your systems, refer to the lslpp command found in AIX user's guide.
Example: lslpp -L | grep -i ntp.rte
REMEDIATION:
A. APARS
IBM has assigned the following APARs to this problem:
For NTPv3:
AIX Level APAR Availability SP KEY PRODUCT(S)
------------------------------------------------------------
5.3.12 IV84269 N/A key_w_apar NTPv3
6.1.9 IV83984 10/21/16 SP8 key_w_apar NTPv3
7.1.3 IV83993 1/27/17 SP8 key_w_apar NTPv3
7.1.4 IV83994 10/21/16 SP3 key_w_apar NTPv3
7.2.0 IV83995 1/27/17 SP3 key_w_apar NTPv3
For NTPv4:
AIX Level APAR Availability SP KEY PRODUCT(S)
------------------------------------------------------------
6.1.9 IV83992 10/21/16 SP8 key_w_apar NTPv4
7.1.3 IV83983 1/27/17 SP8 key_w_apar NTPv4
7.1.4 IV83983 10/21/16 SP3 key_w_apar NTPv4
7.2.0 IV83983 1/27/17 SP3 key_w_apar NTPv4
Subscribe to the APARs here:
http://www.ibm.com/support/docview.wss?uid=isg1IV83983
http://www.ibm.com/support/docview.wss?uid=isg1IV83984
http://www.ibm.com/support/docview.wss?uid=isg1IV83992
http://www.ibm.com/support/docview.wss?uid=isg1IV83993
http://www.ibm.com/support/docview.wss?uid=isg1IV83994
http://www.ibm.com/support/docview.wss?uid=isg1IV83995
http://www.ibm.com/support/docview.wss?uid=isg1IV84269
By subscribing, you will receive periodic email alerting you
to the status of the APAR, and a link to download the fix once
it becomes available.
B. FIXES
Fixes are available.
The fixes can be downloaded via ftp or http from:
ftp://aix.software.ibm.com/aix/efixes/security/ntp_fix6.tar
http://aix.software.ibm.com/aix/efixes/security/ntp_fix6.tar
https://aix.software.ibm.com/aix/efixes/security/ntp_fix6.tar
The link above is to a tar file containing this signed
advisory, fix packages, and OpenSSL signatures for each package.
The fixes below include prerequisite checking. This will
enforce the correct mapping between the fixes and AIX
Technology Levels.
For NTPv3:
AIX Level Interim Fix (*.Z) KEY PRODUCT(S)
----------------------------------------------------------
5.3.12.9 IV84269m9a.160522.epkg.Z key_w_fix NTPv3
6.1.9.4 IV83984m4a.160506.epkg.Z key_w_fix NTPv3
6.1.9.5 IV83984m5a.160510.epkg.Z key_w_fix NTPv3
6.1.9.6 IV83984m6a.160504.epkg.Z key_w_fix NTPv3
6.1.9.7 IV83984s7a.160622.epkg.Z key_w_fix NTPv3
7.1.3.4 IV83993m4b.160510.epkg.Z key_w_fix NTPv3
7.1.3.5 IV83993m5a.160510.epkg.Z key_w_fix NTPv3
7.1.3.6 IV83993m6a.160505.epkg.Z key_w_fix NTPv3
7.1.3.7 IV83993s7a.160714.epkg.Z key_w_fix NTPv3
7.1.4.0 IV83994m1a.160505.epkg.Z key_w_fix NTPv3
7.1.4.1 IV83994m1a.160505.epkg.Z key_w_fix NTPv3
7.1.4.2 IV83994s2a.160620.epkg.Z key_w_fix NTPv3
7.2.0.0 IV83995m0a.160510.epkg.Z key_w_fix NTPv3
7.2.0.1 IV83995m1a.160601.epkg.Z key_w_fix NTPv3
| 7.2.0.2 IV83995s2b.160713.epkg.Z key_w_fix NTPv3
VIOS Level Interim Fix (*.Z) KEY PRODUCT(S)
-----------------------------------------------------------
2.2.4.0 IV83984m6a.160504.epkg.Z key_w_fix NTPv3
2.2.4.2x IV83984s7a.160622.epkg.Z key_w_fix NTPv3
For NTPv4:
AIX Level Interim Fix (*.Z) KEY PRODUCT(S)
----------------------------------------------------------
6.1.x IV83992s5a.160602.epkg.Z key_w_fix NTPv4
7.1.x IV83983s5a.160602.epkg.Z key_w_fix NTPv4
7.2.x IV83983s5a.160602.epkg.Z key_w_fix NTPv4
VIOS Level Interim Fix (*.Z) KEY PRODUCT(S)
-----------------------------------------------------------
2.2.x IV83992s5a.160602.epkg.Z key_w_fix NTPv4
All fixes included are cumulative and address previously
issued AIX NTP security bulletins with respect to SP and TL.
To extract the fixes from the tar file:
tar xvf ntp_fix6.tar
cd ntp_fix6
Verify you have retrieved the fixes intact:
The checksums below were generated using the
"openssl dgst -sha256 file" command as the followng:
openssl dgst -sha256 filename KEY
-----------------------------------------------------------------------------------------------------
1dde048eab83d5519a8331f2db377a010f6adccb24665eaebabf2d8fb55decda IV83983s5a.160602.epkg.Z key_w_csum
afbe3f7603602dc81f7a55dd68f7e00f6d6c90672cc91dca6d647a5e9455f470 IV83984m4a.160506.epkg.Z key_w_csum
1df47de2dc201ac958da849a126b68f9c58c88ec4bd11ab0874465f25ba92878 IV83984m5a.160510.epkg.Z key_w_csum
7b26d3a1e5e420e2c93febbd87f73806cdef506793abe7508d189ef6ee2596a7 IV83984m6a.160504.epkg.Z key_w_csum
14ec9d1beab7335c197662ad57e112b17c25f2ffc13bb9b9767416b5dda9251b IV83984s7a.160622.epkg.Z key_w_csum
657a259c37c99aa990933f1ecd7719fcb07c7852acd3236bc33f932c45ad5bee IV83992s5a.160602.epkg.Z key_w_csum
cb890c4c7d3a0ab09fe10da469721737d2a4cbd3baa4da5214e68ce467a6b1b0 IV83993m4b.160510.epkg.Z key_w_csum
3b78ac22352ec959be91a561f23b13912f7fbda00974d818c5a66bc332e85abc IV83993m5a.160510.epkg.Z key_w_csum
0c73bb6b7da724d29400c4398fb98bc3cfb45a88e9744879fcde6c421108bee6 IV83993m6a.160505.epkg.Z key_w_csum
86998a1cb16cc5d5f941fe737709cd210754d85449a4cb280662026f6ef5bf09 IV83993s7a.160714.epkg.Z key_w_csum
c3abfb2272f6a6793f2ef9c4d5e8a54cf5d60c20d49b65414a9c5d2d28b9c964 IV83994m1a.160505.epkg.Z key_w_csum
540fcf0df555219d88619bac9e7de276010d26fad5957d5bac8decd19798bd93 IV83994s2a.160620.epkg.Z key_w_csum
7b214849e3d46c41498eef287497e7576f89fe274ca4305a6b3e5eb7e2be63dd IV83995m0a.160510.epkg.Z key_w_csum
97c9b857e023d89fdfc22730938ea4127c7efce25628d76abdc86337f64f7a03 IV83995m1a.160601.epkg.Z key_w_csum
| ef7f0f4a205af86be406ed7b1258080f8e916e5e6fbc86a8b7cdd927f670cd29 IV83995s2b.160713.epkg.Z key_w_csum
732f0254ace2786f5e7ddadef10e1e64cc381ecf5d6ebb9131b64115f87e8d52 IV84269m9a.160522.epkg.Z key_w_csum
These sums should match exactly. The OpenSSL signatures in the tar
file and on this advisory can also be used to verify the
integrity of the fixes. If the sums or signatures cannot be
confirmed, contact IBM AIX Security at
[email protected] and describe the discrepancy.
openssl dgst -sha1 -verify <pubkey_file> -signature <advisory_file>.sig <advisory_file>
openssl dgst -sha1 -verify <pubkey_file> -signature <ifix_file>.sig <ifix_file>
Published advisory OpenSSL signature file location:
http://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc.sig
https://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc.sig
ftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc.sig
C. FIX AND INTERIM FIX INSTALLATION
IMPORTANT: If possible, it is recommended that a mksysb backup
of the system be created. Verify it is both bootable and
readable before proceeding.
The fix will not take affect until any running xntpd servers
have been stopped and restarted with the following commands:
stopsrc -s xntpd
startsrc -s xntpd
To preview a fix installation:
installp -a -d fix_name -p all # where fix_name is the name of the
# fix package being previewed.
To install a fix package:
installp -a -d fix_name -X all # where fix_name is the name of the
# fix package being installed.
After installation the ntp daemon must be restarted:
stopsrc -s xntpd
startsrc -s xntpd
Interim fixes have had limited functional and regression
testing but not the full regression testing that takes place
for Service Packs; however, IBM does fully support them.
Interim fix management documentation can be found at:
http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html
To preview an interim fix installation:
emgr -e ipkg_name -p # where ipkg_name is the name of the
# interim fix package being previewed.
To install an interim fix package:
emgr -e ipkg_name -X # where ipkg_name is the name of the
# interim fix package being installed.
WORKAROUNDS AND MITIGATIONS:
For CVE-2015-8139 and CVE-2015-8140:
Monitor your ntpd instances.
If this sort of attack is an active problem for you, you have deeper
problems to investigate. Also consider having smaller NTP broadcast
domains.
If you must enable mode 7:
configure the use of a requestkey to control who can issue mode 7
requests.
configure restrict noquery to further limit mode 7 requests to
trusted sources.
Don't use broadcast mode if you cannot monitor your client servers.
===============================================================================
CONTACT US:
Note: Keywords labeled as KEY in this document are used for parsing
purposes.
If you would like to receive AIX Security Advisories via email,
please visit "My Notifications":
http://www.ibm.com/support/mynotifications
To view previously issued advisories, please visit:
http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq
Comments regarding the content of this announcement can be
directed to:
[email protected]
To obtain the OpenSSL public key that can be used to verify the
signed advisories and ifixes:
Download the key from our web page:
http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt
To obtain the PGP public key that can be used to communicate
securely with the AIX Security Team via [email protected] you
can either:
A. Download the key from our web page:
http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt
B. Download the key from a PGP Public Key Server. The key ID is:
0x28BFAA12
Please contact your local IBM AIX support center for any
assistance.
REFERENCES:
Complete CVSS v3 Guide: http://www.first.org/cvss/user-guide
On-line Calculator v3:
http://www.first.org/cvss/calculator/3.0
ACKNOWLEDGEMENTS:
None
CHANGE HISTORY:
First Issued: Wed Jun 8 13:17:48 CDT 2016
Updated: Thu Jun 9 11:04:06 CDT 2016
Update: CVE-2015-8139 and CVE-2015-8140 added with clarified Workarounds
and Mitigations section.
Updated: Mon Jun 20 10:45:48 CDT 2016
Update: Added iFix for AIX 7.1.4.2.
Updated: Wed Jun 22 10:25:29 CDT 2016
Update: Added iFix for AIX 6.1.9.7 and VIOS 2.2.4.20.
Updated: Tue Jul 19 11:47:37 CDT 2016
Update: Added iFix for AIX 7.1.3.7.
| Updated: Tue Aug 16 11:41:45 CDT 2016
| Update: Added iFix for AIX 7.2.0.2.
===============================================================================
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an “industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
5.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
0.097 Low
EPSS
Percentile
94.8%