6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.089 Low
EPSS
Percentile
94.6%
IBM SECURITY ADVISORY
First Issued: Thu Jul 6 14:53:51 CDT 2017
|Updated: Mon Nov 13 14:32:25 CST 2017
|Update 3: Clarified that AIX 7100-04-05, 7200-00-05, and 7200-01-03 are
| impacted. An additional iFix is provided for AIX 7100-04-05. The
| iFixes already provided for 7200-00 and 7200-01 cover 7200-00-05
| and 7200-01-03.
The most recent version of this document is available here:
http://aix.software.ibm.com/aix/efixes/security/ntp_advisory9.asc
https://aix.software.ibm.com/aix/efixes/security/ntp_advisory9.asc
ftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory9.asc
Security Bulletin: Vulnerabilities in NTP affect AIX
CVE-2017-6451 CVE-2017-6458 CVE-2017-6462 CVE-2017-6464
===============================================================================
SUMMARY:
There are multiple vulnerabilities in NTPv3 and NTPv4 that impact AIX.
===============================================================================
I.VULNERABILITY DETAILS:
NTPv4 is vulnerable to:
CVEID: CVE-2017-6458
https://vulners.com/cve/CVE-2017-6458
DESCRIPTION: NTP is vulnerable to a denial of service, caused by multiple buffer
overflows in the ctl_put() functions. By sending an overly long string argument,
a remote authenticated attacker could exploit this vulnerability to overflow a
buffer and cause the application to crash.
CVSS Base Score: 4.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123616
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-6462
https://vulners.com/cve/CVE-2017-6462
DESCRIPTION: NTP is vulnerable to a denial of service, caused by a buffer overflow
in the legacy Datum Programmable Time Server refclock driver. By sending specially
crafted packets, a local authenticated attacker could exploit this vulnerability
to overflow a buffer and cause a denial of service.
CVSS Base Score: 1.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123611
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L)
CVEID: CVE-2017-6464
https://vulners.com/cve/CVE-2017-6464
DESCRIPTION: NTP is vulnerable to a denial of service. A remote authenticated attacker
could exploit this vulnerability using a malformed mode configuration directive to cause
the application to crash.
CVSS Base Score: 4.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123610
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H)
NTPv3 is vulnerable to:
CVEID: CVE-2017-6451
https://vulners.com/cve/CVE-2017-6451
DESCRIPTION: NTP could allow a local attacker to bypass security restrictions, caused by
an out-of-bounds memory write when handling the return value of snprintf()/vsnprintf()
functions. An attacker could exploit this vulnerability to overwrite a saved instruction
pointer on the stack and gain control over the execution flow.
CVSS Base Score: 1.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123617
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N)
CVEID: CVE-2017-6458
https://vulners.com/cve/CVE-2017-6458
DESCRIPTION: NTP is vulnerable to a denial of service, caused by multiple buffer
overflows in the ctl_put() functions. By sending an overly long string argument,
a remote authenticated attacker could exploit this vulnerability to overflow a buffer
and cause the application to crash.
CVSS Base Score: 4.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123616
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2017-6462
https://vulners.com/cve/CVE-2017-6462
DESCRIPTION: NTP is vulnerable to a denial of service, caused by a buffer overflow
in the legacy Datum Programmable Time Server refclock driver. By sending specially crafted
packets, a local authenticated attacker could exploit this vulnerability to overflow a buffer
and cause a denial of service.
CVSS Base Score: 1.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123611
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L)
CVEID: CVE-2017-6464
https://vulners.com/cve/CVE-2017-6464
DESCRIPTION: NTP is vulnerable to a denial of service. A remote authenticated attacker
could exploit this vulnerability using a malformed mode configuration directive to cause
the application to crash.
CVSS Base Score: 4.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123610
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H)
II. AFFECTED PRODUCTS AND VERSIONS:
AIX 5.3, 6.1, 7.1, 7.2
VIOS 2.2
The following fileset levels are vulnerable:
key_fileset = aix
For NTPv3:
Fileset Lower Level Upper Level KEY PRODUCT(S)
------------------------------------------------------------------
bos.net.tcp.client 5.3.12.0 5.3.12.10 key_w_fs NTPv3
bos.net.tcp.client 6.1.9.0 6.1.9.201 key_w_fs NTPv3
bos.net.tcp.client 7.1.3.0 7.1.3.49 key_w_fs NTPv3
bos.net.tcp.client 7.1.4.0 7.1.4.32 key_w_fs NTPv3
bos.net.tcp.ntp 7.2.0.0 7.2.0.2 key_w_fs NTPv3
bos.net.tcp.ntp 7.2.1.0 7.2.1.0 key_w_fs NTPv3
bos.net.tcp.ntpd 7.2.0.0 7.2.0.3 key_w_fs NTPv3
bos.net.tcp.ntpd 7.2.1.0 7.2.1.1 key_w_fs NTPv3
For NTPv4:
Fileset Lower Level Upper Level KEY PRODUCT(S)
-----------------------------------------------------------------
ntp.rte 6.1.6.0 6.1.6.9 key_w_fs NTPv4
ntp.rte 7.1.0.0 7.1.0.9 key_w_fs NTPv4
Note: To find out whether the affected filesets are installed
on your systems, refer to the lslpp command found in AIX user's
guide.
Example: lslpp -L | grep -i ntp.rte
III. REMEDIATION:
A. FIXES
Fixes are available.
The fixes can be downloaded via ftp or http from:
ftp://aix.software.ibm.com/aix/efixes/security/ntp_fix9.tar
http://aix.software.ibm.com/aix/efixes/security/ntp_fix9.tar
https://aix.software.ibm.com/aix/efixes/security/ntp_fix9.tar
The links above are to a tar file containing this signed
advisory, interim fixes, and OpenSSL signatures for each interim fix.
The fixes below include prerequisite checking. This will
enforce the correct mapping between the fixes and AIX
Technology Levels.
For NTPv3:
AIX Level Interim Fix (*.Z) KEY PRODUCT(S)
----------------------------------------------------------
5.3.12.9 IV96305m9a.170518.epkg.Z key_w_fix NTPv3
6.1.9.7 IV96306m9a.170519.epkg.Z key_w_fix NTPv3
6.1.9.8 IV96306m9a.170519.epkg.Z key_w_fix NTPv3
6.1.9.9 IV96306m9a.170519.epkg.Z key_w_fix NTPv3
7.1.3.7 IV96307m9a.170518.epkg.Z key_w_fix NTPv3
7.1.3.8 IV96307m9a.170518.epkg.Z key_w_fix NTPv3
7.1.3.9 IV96307m9a.170518.epkg.Z key_w_fix NTPv3
7.1.4.2 IV96308m4a.170518.epkg.Z key_w_fix NTPv3
7.1.4.3 IV96308m4a.170518.epkg.Z key_w_fix NTPv3
7.1.4.4 IV96308m4a.170518.epkg.Z key_w_fix NTPv3
| 7.1.4.5 IV96308m4b.171107.epkg.Z key_w_fix NTPv3
7.2.0.2 IV96309m4a.170518.epkg.Z key_w_fix NTPv3
7.2.0.3 IV96309m4a.170518.epkg.Z key_w_fix NTPv3
7.2.0.4 IV96309m4a.170518.epkg.Z key_w_fix NTPv3
7.2.0.5 IV96309m4a.170518.epkg.Z key_w_fix NTPv3
7.2.1.0 IV96310m2a.170519.epkg.Z key_w_fix NTPv3
7.2.1.1 IV96310m2a.170519.epkg.Z key_w_fix NTPv3
7.2.1.2 IV96310m2a.170519.epkg.Z key_w_fix NTPv3
7.2.1.3 IV96310m2a.170519.epkg.Z key_w_fix NTPv3
VIOS Level Interim Fix (*.Z) KEY PRODUCT(S)
-----------------------------------------------------------
2.2.4.2x IV96306m9a.170519.epkg.Z key_w_fix NTPv3
For NTPv4:
AIX Level Interim Fix (*.Z) KEY PRODUCT(S)
----------------------------------------------------------
6.1.9.7 IV96311m5a.170518.epkg.Z key_w_fix NTPv4
6.1.9.8 IV96311m5a.170518.epkg.Z key_w_fix NTPv4
6.1.9.9 IV96311m5a.170518.epkg.Z key_w_fix NTPv4
7.1.3.7 IV96312m5a.170518.epkg.Z key_w_fix NTPv4
7.1.3.8 IV96312m5a.170518.epkg.Z key_w_fix NTPv4
7.1.3.9 IV96312m5a.170518.epkg.Z key_w_fix NTPv4
7.1.4.2 IV96312m5a.170518.epkg.Z key_w_fix NTPv4
7.1.4.3 IV96312m5a.170518.epkg.Z key_w_fix NTPv4
7.1.4.4 IV96312m5a.170518.epkg.Z key_w_fix NTPv4
7.2.0.2 IV96312m5a.170518.epkg.Z key_w_fix NTPv4
7.2.0.3 IV96312m5a.170518.epkg.Z key_w_fix NTPv4
7.2.0.4 IV96312m5a.170518.epkg.Z key_w_fix NTPv4
7.2.1.0 IV96312m5a.170518.epkg.Z key_w_fix NTPv4
7.2.1.1 IV96312m5a.170518.epkg.Z key_w_fix NTPv4
7.2.1.2 IV96312m5a.170518.epkg.Z key_w_fix NTPv4
All fixes included are cumulative and address previously
issued AIX NTP security bulletins with respect to SP and TL.
To extract the fixes from the tar file:
tar xvf ntp_fix9.tar
cd ntp_fix9
Verify you have retrieved the fixes intact:
The checksums below were generated using the
"openssl dgst -sha256 <filename>" command as the following:
openssl dgst -sha256 filename KEY
-----------------------------------------------------------------------------------------------------
5fc5ac58dcc41f427bdd29da28cce00b5e90a0adf8f773592a21593bb7c0b72e IV96305m9a.170518.epkg.Z key_w_csum
ed9469eea0622397eb9260fb8d0575562459a47c848d5a37a604f104833e9262 IV96306m9a.170519.epkg.Z key_w_csum
5ac9f3971dd2b090fe794b2e033230374c22d017ce8d93e8db91fa82ca820b69 IV96307m9a.170518.epkg.Z key_w_csum
770ceae338b4bdf6b3367abfc82c6c2d2fb0972c141434c434a60d5e230ca25a IV96308m4a.170518.epkg.Z key_w_csum
| 2e9d5da20c67d8e7f47abc72c822fbc0dceff0ea0452a4002ab20f5478da1ece IV96308m4b.171107.epkg.Z key_w_csum
521c64dee9c966ad7f5347cd2983139045115a2ad48a8a8d1901c5e917f2e367 IV96309m4a.170518.epkg.Z key_w_csum
40cf7ffbf4476c8998164203f631fca4d1af12fe3494eb66e05217eaff6b3464 IV96310m2a.170519.epkg.Z key_w_csum
0cf956028c6d25ef1de3a40b1b42544e35e2208913b332f05980932a4ff1c3c7 IV96311m5a.170518.epkg.Z key_w_csum
9c7d969d0a9127217d15781b2a596f41023b41db7d91f3cf4c6ad2e5d9e088c8 IV96312m5a.170518.epkg.Z key_w_csum
These sums should match exactly. The OpenSSL signatures in the tar
file and on this advisory can also be used to verify the
integrity of the fixes. If the sums or signatures cannot be
confirmed, contact IBM AIX Security at
[email protected] and describe the discrepancy.
openssl dgst -sha1 -verify <pubkey_file> -signature <advisory_file>.sig <advisory_file>
openssl dgst -sha1 -verify <pubkey_file> -signature <ifix_file>.sig <ifix_file>
Published advisory OpenSSL signature file location:
http://aix.software.ibm.com/aix/efixes/security/ntp_advisory9.asc.sig
https://aix.software.ibm.com/aix/efixes/security/ntp_advisory9.asc.sig
ftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory9.asc.sig
B. FIX AND INTERIM FIX INSTALLATION
IMPORTANT: If possible, it is recommended that a mksysb backup
of the system be created. Verify it is both bootable and
readable before proceeding.
The fix will not take affect until any running xntpd servers
have been stopped and restarted with the following commands:
stopsrc -s xntpd
startsrc -s xntpd
To preview a fix installation:
installp -a -d fix_name -p all # where fix_name is the name of the
# fix package being previewed.
To install a fix package:
installp -a -d fix_name -X all # where fix_name is the name of the
# fix package being installed.
After installation the ntp daemon must be restarted:
stopsrc -s xntpd
startsrc -s xntpd
Interim fixes have had limited functional and regression
testing but not the full regression testing that takes place
for Service Packs; however, IBM does fully support them.
Interim fix management documentation can be found at:
http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html
To preview an interim fix installation:
emgr -e ipkg_name -p # where ipkg_name is the name of the
# interim fix package being previewed.
To install an interim fix package:
emgr -e ipkg_name -X # where ipkg_name is the name of the
# interim fix package being installed.
C. APARS
IBM has assigned the following APARs to this problem:
For NTPv3:
AIX Level APAR Availability SP KEY PRODUCT(S)
------------------------------------------------------------
5.3.12 IV96305 ** N/A key_w_apar NTPv3
6.1.9 IV96306 ** SP10 key_w_apar NTPv3
7.1.3 IV96307 ** N/A key_w_apar NTPv3
7.1.4 IV96308 ** SP6 key_w_apar NTPv3
7.2.0 IV96309 ** SP6 key_w_apar NTPv3
7.2.1 IV96310 ** SP4 key_w_apar NTPv3
For NTPv4:
AIX Level APAR Availability SP KEY PRODUCT(S)
------------------------------------------------------------
6.1.9 IV96311 ** SP10 key_w_apar NTPv4
7.1.3 IV96312 ** N/A key_w_apar NTPv4
7.1.4 IV96312 ** SP5 key_w_apar NTPv4
7.2.0 IV96312 ** SP5 key_w_apar NTPv4
7.2.1 IV96312 ** SP3 key_w_apar NTPv4
** Please refer to AIX support lifecycle information page for
of Service Packs Support:
http://www-01.ibm.com/support/docview.wss?uid=isg3T1012517
Subscribe to the APARs here:
https://www.ibm.com/support/docview.wss?uid=isg1IV96305
https://www.ibm.com/support/docview.wss?uid=isg1IV96306
https://www.ibm.com/support/docview.wss?uid=isg1IV96307
https://www.ibm.com/support/docview.wss?uid=isg1IV96308
https://www.ibm.com/support/docview.wss?uid=isg1IV96309
https://www.ibm.com/support/docview.wss?uid=isg1IV96310
https://www.ibm.com/support/docview.wss?uid=isg1IV96311
https://www.ibm.com/support/docview.wss?uid=isg1IV96312
By subscribing, you will receive periodic email alerting you
to the status of the APAR, and a link to download the fix once
it becomes available.
IV. WORKAROUNDS AND MITIGATIONS:
None.
===============================================================================
CONTACT US:
Note: Keywords labeled as KEY in this document are used for parsing
purposes.
If you would like to receive AIX Security Advisories via email,
please visit "My Notifications":
http://www.ibm.com/support/mynotifications
https://www.ibm.com/support/mynotifications
To view previously issued advisories, please visit:
http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq
https://www14.software.ibm.com/webapp/set2/subscriptions/onvdq
To obtain the OpenSSL public key that can be used to verify the
signed advisories and ifixes:
Download the key from our web page:
http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt
https://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt
Please contact your local IBM AIX support center for any
assistance.
REFERENCES:
Complete CVSS v3 Guide: http://www.first.org/cvss/user-guide
https://www.first.org/cvss/user-guide
On-line Calculator v3:
http://www.first.org/cvss/calculator/3.0
https://www.first.org/cvss/calculator/3.0
ACKNOWLEDGEMENTS:
None
CHANGE HISTORY:
First Issued: Thu Jul 6 14:53:51 CDT 2017
Updated: Wed Sep 13 11:08:51 CDT 2017
Update 1: Corrected the impacted Upper Level fileset levels.
The following NTPv3 VRMFs are vulnerable:
AIX 6.1.9: bos.net.tcp.client up to and including 6.1.9.201.
AIX 7.1.3: bos.net.tcp.client up to and including 7.1.3.49.
AIX 7.1.4: bos.net.tcp.client up to and including 7.1.4.31.
AIX 7.2.0: bos.net.tcp.ntpd up to and including 7.2.0.3.
AIX 7.2.1: bos.net.tcp.ntpd up to and including 7.2.1.1.
The following NTPv4 VRMFs are vulnerable:
ntp.rte 6.1: up to and including 6.1.6.9.
ntp.rte 7.1: up to and including 7.1.0.9.
Updated: Fri Oct 20 08:30:30 CDT 2017
Update 2: Corrected the impacted Upper Level fileset levels for 7100-04.
The following NTPv3 VRMFs are vulnerable:
AIX 7.1.4: bos.net.tcp.client up to and including 7.1.4.32.
Corrected the APAR section to show that the relevant APARs are
shipping in 7100-04-06, 7200-00-06, and 7200-01-04.
| Updated: Mon Nov 13 14:32:25 CST 2017
| Update 3: Clarified that AIX 7100-04-05, 7200-00-05, and 7200-01-03 are
| impacted. An additional iFix is provided for AIX 7100-04-05. The
| iFixes already provided for 7200-00 and 7200-01 cover 7200-00-05
| and 7200-01-03.
===============================================================================
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an โindustry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response.โ IBM PROVIDES THE CVSS SCORES โAS ISโ WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.089 Low
EPSS
Percentile
94.6%