IBM SECURITY ADVISORY

First Issued: Wed Jun 17 09:52:06 CDT 2015
|Updated: Fri Jun 26 15:52:00 CDT 2015
|Update: Added clarification that the sendmail fixes only apply when
|using the SSL-enabled sendmail binary, /usr/sbin/sendmail_ssl


The most recent version of this document is available here:

http://aix.software.ibm.com/aix/efixes/security/nettcp_advisory.asc
https://aix.software.ibm.com/aix/efixes/security/nettcp_advisory.asc
ftp://aix.software.ibm.com/aix/efixes/security/nettcp_advisory.asc

 
Security Bulletin: Vulnerability in SSLv3 affects ftpd, sendmail, imapd, 
 and popd on AIX (CVE-2014-3566)


===============================================================================

SUMMARY:

    SSLv3 contains a vulnerability that has been referred to as the Padding
    Oracle On Downgraded Legacy Encryption (POODLE) attack.  SSLv3 is enabled
|   in ftpd, sendmail when using the sendmail_ssl binary, imapd, and popd on
    AIX.


===============================================================================

VULNERABILITY DETAILS:

    CVEID: CVE-2014-3566
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566


    DESCRIPTION:

        Product could allow a remote attacker to obtain sensitive information,
        caused by a design error when using the SSLv3 protocol. A remote user
        with the ability to conduct a man-in-the-middle attack could exploit
        this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy
        Encryption) attack to decrypt SSL sessions and access the plaintext
        of encrypted connections.


    CVSS:
 
        CVSS Base Score: 4.3
        CVSS Temporal Score: See 
        http://xforce.iss.net/xforce/xfdb/97013 for the current score. 
        CVSS Environmental Score*: Undefined
        CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)


    AFFECTED PRODUCTS AND VERSIONS:
 
        AIX 6.1, 7.1
        VIOS 2.2.x

        The following fileset levels are vulnerable:
 
        AIX Fileset        Lower Level Upper Level KEY
        --------------------------------------------------------
        bos.net.tcp.client 6.1.0.0     6.1.8.19    key_w_fs
        bos.net.tcp.client 6.1.0.0     6.1.9.48    key_w_fs
        bos.net.tcp.client 7.1.0.0     7.1.2.19    key_w_fs
        bos.net.tcp.client 7.1.0.0     7.1.3.48    key_w_fs

        bos.net.tcp.server 6.1.0.0     6.1.8.18    key_w_fs
        bos.net.tcp.server 6.1.0.0     6.1.9.45    key_w_fs
        bos.net.tcp.server 7.1.0.0     7.1.2.18    key_w_fs
        bos.net.tcp.server 7.1.0.0     7.1.3.45    key_w_fs

        AIX Fileset (VIOS)  Lower Level           Upper Level
        ------------------------------------------------------------
        bos.net.tcp.client  6.1.0.0(2.2.0.0)      6.1.8.19(2.2.2.6)
        bos.net.tcp.client  6.1.0.0(2.2.0.0)      6.1.9.48(2.2.3.50)

        bos.net.tcp.server  6.1.0.0(2.2.0.0)      6.1.8.18(2.2.2.6)
        bos.net.tcp.server  6.1.0.0(2.2.0.0)      6.1.9.45(2.2.3.50)


        Note:  to find out whether the affected filesets are installed 
        on your systems, refer to the lslpp command found in AIX user's guide.

        Example:  lslpp -L | grep -i bos.net.tcp.client 


    REMEDIATION:
        
        A. APARS
            
            IBM has assigned the following APARs to this problem:

            For ftpd:

            AIX Level APAR     Availability  SP   KEY
            ---------------------------------------------------
            6.1.8     IV69768  9/30/15       SP7  key_w_apar
            6.1.9     IV73324  12/04/15      SP6  key_w_apar
            7.1.2     IV73319  9/30/15       SP7  key_w_apar
            7.1.3     IV73316  2/26/16       SP6  key_w_apar

            Subscribe to the APARs here:

            http://www.ibm.com/support/docview.wss?uid=isg1IV69768
            http://www.ibm.com/support/docview.wss?uid=isg1IV73324
            http://www.ibm.com/support/docview.wss?uid=isg1IV73319
            http://www.ibm.com/support/docview.wss?uid=isg1IV73316

            For sendmail:
|           Please note that these only apply to the SSL-enabled
|           sendmail binary, /usr/sbin/sendmail_ssl.  The default
|           sendmail binary, /usr/sbin/sendmail, does not use SSL and
|           is therefore not vulnerable to POODLE.

            AIX Level APAR     Availability  SP   KEY
            ---------------------------------------------------
            6.1.8     IV73416  9/30/15       SP7  key_w_apar
            6.1.9     IV73417  12/04/15      SP6  key_w_apar
            7.1.2     IV73418  9/30/15       SP7  key_w_apar
            7.1.3     IV73419  2/26/16       SP6  key_w_apar

            Subscribe to the APARs here:

            http://www.ibm.com/support/docview.wss?uid=isg1IV73416
            http://www.ibm.com/support/docview.wss?uid=isg1IV73417
            http://www.ibm.com/support/docview.wss?uid=isg1IV73418
            http://www.ibm.com/support/docview.wss?uid=isg1IV73419

            For imapd and popd:

            AIX Level APAR     Availability  SP   KEY
            ---------------------------------------------------
            6.1.8     IV73973  9/30/15       SP7  key_w_apar
            6.1.9     IV73976  12/04/15      SP6  key_w_apar
            7.1.2     IV73974  9/30/15       SP7  key_w_apar
            7.1.3     IV73975  2/26/16       SP6  key_w_apar

            Subscribe to the APARs here:

            http://www.ibm.com/support/docview.wss?uid=isg1IV73973
            http://www.ibm.com/support/docview.wss?uid=isg1IV73976
            http://www.ibm.com/support/docview.wss?uid=isg1IV73974
            http://www.ibm.com/support/docview.wss?uid=isg1IV73975

            By subscribing, you will receive periodic email alerting you
            to the status of the APAR, and a link to download the fix once
            it becomes available.

        B. FIXES

            Fixes are available.  The fixes can be downloaded via ftp or
            http from:

            ftp://aix.software.ibm.com/aix/efixes/security/nettcp_fix.tar
            http://aix.software.ibm.com/aix/efixes/security/nettcp_fix.tar
            https://aix.software.ibm.com/aix/efixes/security/nettcp_fix.tar 

            The link above is to a tar file containing this signed
            advisory, fix packages, and OpenSSL signatures for each package.
            The fixes below include prerequisite checking. This will
            enforce the correct mapping between the fixes and AIX
            Technology Levels.

            For ftpd:

            AIX Level  Interim Fix (*.Z)         KEY
            ------------------------------------------------
            6.1.8.6    IV69768s6a.150515.epkg.Z  key_w_fix
            6.1.9.5    IV73324s5a.150515.epkg.Z  key_w_fix
            7.1.2.6    IV73319s6a.150515.epkg.Z  key_w_fix
            7.1.3.5    IV73316s5a.150515.epkg.Z  key_w_fix

            For sendmail:
|           Please note that these only apply to the SSL-enabled
|           sendmail binary, /usr/sbin/sendmail_ssl.  The default
|           sendmail binary, /usr/sbin/sendmail, does not use SSL and
|           is therefore not vulnerable to POODLE.

            AIX Level  Interim Fix (*.Z)         KEY
            ------------------------------------------------
            6.1.8.6    IV73416s6a.150520.epkg.Z  key_w_fix
            6.1.9.5    IV73417s5a.150520.epkg.Z  key_w_fix
            7.1.2.6    IV73418s6a.150520.epkg.Z  key_w_fix
            7.1.3.5    IV73419s5a.150520.epkg.Z  key_w_fix

            For imapd and popd:
            
            AIX Level  Interim Fix (*.Z)         KEY
            ------------------------------------------------
            6.1.8.6    IV73973s6a.150609.epkg.Z  key_w_fix
            6.1.9.5    IV73976s5a.150609.epkg.Z  key_w_fix
            7.1.2.6    IV73974s6b.150610.epkg.Z  key_w_fix
            7.1.3.5    IV73975s5a.150619.epkg.Z  key_w_fix

            To extract the fixes from the tar file:

            tar xvf nettcp_fix.tar
            cd nettcp_fix

            Verify you have retrieved the fixes intact:

            The checksums below were generated using the
            "openssl dgst -sha256 file" command as the followng:

            For ftpd:
    
            openssl dgst -sha256                                              
            filename                 KEY
            ----------------------------------------------------------------
            -------------------------------------
            e7abdef186219eb2b039cc19746a1914725b2018d6ff9558bd43df3fa18514fa  
            IV69768s6a.150515.epkg.Z key_w_csum
            9f608ce43a1d828d3414f9c02fc41358d0e9ae4dcbac4d7f549d7cc9b5a7afb4  
            IV73324s5a.150515.epkg.Z key_w_csum
            89a73255f06eb6bffeb5884bfce3b1a3b97b1e4d477affb7b92c4c8a9196de75  
            IV73319s6a.150515.epkg.Z key_w_csum
            4ad25780e666538604e490494d7c5b6c48b9ed71c72d9f54cecd749480851c59  
            IV73316s5a.150515.epkg.Z key_w_csum 

            For sendmail:

            openssl dgst -sha256                                              
            filename                 KEY
            ----------------------------------------------------------------
            -------------------------------------
            7083ce308673424836224cadf6e021df35bf461b66a262c2691c043748242ee9  
            IV73416s6a.150520.epkg.Z key_w_csum
            638e54c7f0218f020370e261d4d4a68b355568dbf5119384c4a82c7d4b374832  
            IV73417s5a.150520.epkg.Z key_w_csum
            cd99a31c28acdc76d6a5c48b47c3c915cd7fd1c18b2cab1e356aed47fc7d2a97  
            IV73418s6a.150520.epkg.Z key_w_csum
            21f0b58c4a5bebb91c7f531ec3f8a301ba45b991cf1bd27fd323926d28b269e9  
            IV73419s5a.150520.epkg.Z key_w_csum

            For imapd and popd:

            openssl dgst -sha256                                              
            filename                 KEY
            ----------------------------------------------------------------
            -------------------------------------
            3e3e27c1b2b07b363423fba245047c6ddf2e94605d0d051e2d50b08bf74b2c23  
            IV73973s6a.150609.epkg.Z key_w_csum
            a4225da8f1fa4173e2a483dd656bdc2b5ac0fd8c68f4a1434eac05daeb1bdca9  
            IV73976s5a.150609.epkg.Z key_w_csum
            b2e11c499f66f09f3268626939b2037b3b6e949a2a80dc1f3551998a47d5815a  
            IV73974s6b.150610.epkg.Z key_w_csum
            b2160ee3496e57cae7d66c480bd8c2b965e37b43564731fd799a335c00a7d11b  
            IV73975s5a.150619.epkg.Z key_w_csum


            These sums should match exactly. The OpenSSL signatures in the tar
            file and on this advisory can also be used to verify the
            integrity of the fixes.  If the sums or signatures cannot be
            confirmed, contact IBM AIX Security at
            security-alert@austin.ibm.com and describe the discrepancy.
            
            openssl dgst -sha1 -verify  -signature
.sig 

            openssl dgst -sha1 -verify  -signature .sig


            Published advisory OpenSSL signature file location:
 
           
http://aix.software.ibm.com/aix/efixes/security/nettcp_advisory.asc.sig
           
https://aix.software.ibm.com/aix/efixes/security/nettcp_advisory.asc.sig
           
ftp://aix.software.ibm.com/aix/efixes/security/nettcp_advisory.asc.sig 

        C. FIX AND INTERIM FIX INSTALLATION

            IMPORTANT: If possible, it is recommended that a mksysb backup
            of the system be created.  Verify it is both bootable and
            readable before proceeding.

            To preview a fix installation:

            installp -a -d fix_name -p all  # where fix_name is the name of the
                                        # fix package being previewed.
            To install a fix package:

            installp -a -d fix_name -X all  # where fix_name is the name of the
                                        # fix package being installed.

            Interim fixes have had limited functional and regression
            testing but not the full regression testing that takes place
            for Service Packs; however, IBM does fully support them.

            Interim fix management documentation can be found at:

           
http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html

            To preview an interim fix installation:

            emgr -e ipkg_name -p         # where ipkg_name is the name of the
                                         # interim fix package being previewed.

            To install an interim fix package:

            emgr -e ipkg_name -X         # where ipkg_name is the name of the
                                         # interim fix package being installed.


    WORKAROUNDS AND MITIGATIONS:

        None.


===============================================================================

CONTACT US:

    If you would like to receive AIX Security Advisories via email,
    please visit "My Notifications":

        http://www.ibm.com/support/mynotifications

    To view previously issued advisories, please visit:

        http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq
 
    Comments regarding the content of this announcement can be
    directed to:

        security-alert@austin.ibm.com

    To obtain the OpenSSL public key that can be used to verify the
    signed advisories and ifixes:

        Download the key from our web page:

       
http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt

    To obtain the PGP public key that can be used to communicate
    securely with the AIX Security Team via security-alert@austin.ibm.com you
    can either:

        A. Download the key from our web page:

           
http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt

        B. Download the key from a PGP Public Key Server. The key ID is:

            0x28BFAA12

    Please contact your local IBM AIX support center for any
    assistance.


REFERENCES:
 
    Complete CVSS Guide:  http://www.first.org/cvss/cvss-guide.html
    On-line Calculator V2:  
    http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2


ACKNOWLEDGEMENTS:

    None.


CHANGE HISTORY:

    First Issued: Wed Jun 17 09:52:06 CDT 2015
    Updated: Thu Jun 18 09:48:23 CDT 2015
    Update: Corrected vulnerable 7.1.2 upper fileset levels
    Updated: Fri Jun 19 08:27:55 CDT 2015
    Update: New iFix IV73975s5a filename and checksum. iFix rebuilt with a new,
    corrected description on install but is functionally the same.
|   Updated: Fri Jun 26 15:52:00 CDT 2015
|   Update: Added clarification that the sendmail fixes only apply when
|   using the SSL-enabled sendmail binary, /usr/sbin/sendmail_ssl

LEAVE A REPLY

Please enter your comment!
Please enter your name here