There is a vulnerability in the AIX smbcd daemon.
CVEID:CVE-2021-38993
**DESCRIPTION:**IBM AIX could allow a non-privileged local user to exploit a vulnerability in the smbcd daemon to cause a denial of service.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/212962 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Product(s) | Version(s) |
---|---|
AIX | 7.1 |
AIX | 7.2 |
AIX | 7.3 |
VIOS | 3.1 |
The following fileset levels are vulnerable:
Fileset | Lower Level | Upper Level |
---|---|---|
smbc.rte | 7.1.0.0 | 7.1.302.6 |
smbc.rte | 7.2.0.0 | 7.2.302.6 |
To determine if your system is vulnerable, execute the following commands:
lslpp -L | grep -i smbc.rte
A. FIXES
The fixes can be downloaded via ftp or http from:
ftp://aix.software.ibm.com/aix/efixes/security/smbcd_fix.tar
<http://aix.software.ibm.com/aix/efixes/security/smbcd_fix.tar>
<https://aix.software.ibm.com/aix/efixes/security/smbcd_fix.tar>
The latest SMB client fileset may also be downloaded from:
<https://www.ibm.com/resources/mrs/assets?source=aixbp>
To extract the fixes from the tar file:
For AIX 7.1:
tar xvf smbcd_fix.tar
gunzip smbc_302_fileset_71.tar.gz | tar xvf
For AIX 7.2, 7.3, and VIOS 3.1:
tar xvf smbcd_fix.tar
gunzip smbc_302_fileset_72.tar.gz | tar xvf
IMPORTANT: If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding.
To preview the fix installation:
installp -apYd . smbc
To install the fix package:
installp -aXYd . smbc
Verify you have retrieved the fixes intact:
The checksums below were generated using the “openssl dgst -sha256 [file]” command as the following:
openssl dgst -sha256 | filename |
---|---|
82386d9913a386c234dcef6bafa53c803d173760218cea34b94645ab18a89f1f | smbc_302_fileset_71.tar.gz |
ee3966422b87e95b3cdba9537f6276c8e48be9d89ca409fbd258c2a20230034b | smbc_302_fileset_72.tar.gz |
These sums should match exactly. The OpenSSL signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes. If the sums or signatures cannot be confirmed, contact IBM AIX Support at <https://ibm.com/support/> and describe the discrepancy.
openssl dgst -sha256 -verify [pubkey_file] -signature [advisory_file].sig [advisory_file]
openssl dgst -sha256 -verify [pubkey_file] -signature [fix_file].sig [fix_file]
Published advisory OpenSSL signature file location:
<http://aix.software.ibm.com/aix/efixes/security/smbcd_advisory.asc.sig>
<https://aix.software.ibm.com/aix/efixes/security/smbcd_advisory.asc.sig>
ftp://aix.software.ibm.com/aix/efixes/security/smbcd_advisory.asc.sig
None