Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.2671
Vulnerabilities in OpenSSH affect AIX (CVE-2018-20685 CVE-2018-6109
CVE-2018-6110 CVE-2018-6111) Security Bulletin
18 July 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OpenSSH
Publisher: IBM
Operating System: AIX
Impact/Access: Overwrite Arbitrary Files -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-6111 CVE-2019-6110 CVE-2019-6109
CVE-2018-20685 CVE-2018-6111 CVE-2018-6110
CVE-2018-6109
Reference: ESB-2019.2141
ESB-2019.1420
ESB-2019.1270
ESB-2019.1255
Original Bulletin:
http://www.ibm.com/support/docview.wss?uid=ibm10872060
- --------------------------BEGIN INCLUDED TEXT--------------------
Vulnerabilities in OpenSSH affect AIX (CVE-2018-20685 CVE-2018-6109
CVE-2018-6110 CVE-2018-6111)
Product: AIX family
Software version: 7.1, 7.2
Operating system(s): AIX
Reference #: 0872060
Security Bulletin
Summary
Vulnerabilities in OpenSSH affect AIX.
Vulnerability Details
CVEID: CVE-2019-6109
DESCRIPTION: OpenSSH could allow a remote attacker to conduct spoofing attacks,
caused by missing character encoding in the progress display. A
man-in-the-middle attacker could exploit this vulnerability to spoof scp client
output.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
155488 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVEID: CVE-2019-6110
DESCRIPTION: OpenSSH could allow a remote attacker to conduct spoofing attacks,
caused by accepting and displaying arbitrary stderr output from the scp server.
A man-in-the-middle attacker could exploit this vulnerability to spoof scp
client output.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
155487 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVEID: CVE-2019-6111
DESCRIPTION: OpenSSH could allow a remote attacker to overwrite arbitrary files
on the system, caused by missing received object name validation by the scp
client. The scp implementation accepts arbitrary files sent by the server and a
man-in-the-middle attacker could exploit this vulnerability to overwrite
unrelated files.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
155486 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID: CVE-2018-20685
DESCRIPTION: OpenSSH could allow a remote attacker to bypass security
restrictions, caused by directory name validation by scp.c in the scp client. A
man-in-the-middle attacker could exploit this vulnerability using the filename
of . or an empty filename to bypass access restrictions and modify permissions
of the target directory.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
155484 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
Affected Products and Versions
+---------------------+----+
|Affected IBM Product |VRMF|
+---------------------+----+
|AIX |7.1 |
+---------------------+----+
|AIX |7.2 |
+---------------------+----+
|VIOS |2.2 |
+---------------------+----+
|VIOS |3.1 |
+---------------------+----+
The following fileset levels are vulnerable:
+-------------------+-----------+------------+
|Fileset |Lower Level|Upper Level |
+-------------------+-----------+------------+
|openssh.base.client|4.0.0.5200 |7.5.102.1600|
+-------------------+-----------+------------+
|openssh.base.server|4.0.0.5200 |7.5.102.1600|
+-------------------+-----------+------------+
Note: To determine if your system is vulnerable, execute the following
commands:
lslpp -L | grep -i openssh.base.client
lslpp -L | grep -i openssh.base.server
Remediation/Fixes
FIXES
A fix is available for CVE-2018-20685, CVE-2019-6109, and CVE-2019-6111.
+-------+----+----------------------------------------------------------------+
|Product|VRMF|Remediation/First Fix |
+-------+----+----------------------------------------------------------------+
|AIX |7.1 |https://www-01.ibm.com/marketing/iwm/iwm/web/pickUrxNew.do |
| | |source=aixbp&S_PKG=openssh |
+-------+----+----------------------------------------------------------------+
|AIX |7.2 |https://www-01.ibm.com/marketing/iwm/iwm/web/pickUrxNew.do |
| | |source=aixbp&S_PKG=openssh |
+-------+----+----------------------------------------------------------------+
|VIOS |2.2 |https://www-01.ibm.com/marketing/iwm/iwm/web/pickUrxNew.do |
| | |source=aixbp&S_PKG=openssh |
+-------+----+----------------------------------------------------------------+
|VIOS |3.1 |https://www-01.ibm.com/marketing/iwm/iwm/web/pickUrxNew.do |
| | |source=aixbp&S_PKG=openssh |
+-------+----+----------------------------------------------------------------+
Please see the WORKAROUNDS AND MITIGATIONS section for mitigation steps in
response to CVE-2019-6110.
To extract the fixes from the tar file:
zcat openssh-7.5.102.1800.tar.Z | tar xvf
Please refer to the Readme file to be aware of the changes that are part of the
release.
IMPORTANT: If possible, it is recommended that a mksysb backup of the system be
created. Verify it is both bootable and readable before proceeding. Note that
all the previously reported security vulnerability fixes are also included in
above mentioned fileset level. Please refer to the readme file (provided along
with the fileset) for the complete list of vulnerabilities fixed.
To preview the fix installation:
installp -apYd . openssh
To install the fix package:
installp -aXYd . openssh
Published advisory OpenSSH signature file location:
http://aix.software.ibm.com/aix/efixes/security/openssh_advisory13.asc.sig
https://aix.software.ibm.com/aix/efixes/security/openssh_advisory13.asc.sig
ftp://aix.software.ibm.com/aix/efixes/security/openssh_advisory13.asc.sig
openssl dgst -sha1 -verify [pubkey_file] -signature [advisory_file].sig
[advisory_file]
openssl dgst -sha1 -verify [pubkey_file] -signature [ifix_file].sig [ifix_file]
Workarounds and Mitigations
The potential impact of CVE-2019-6110 may be mitigated by using the sftp
command in place of the scp command.
AIX Security Bulletin (ASCII format)
Acknowledgement
None.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXS/PsWaOgq3Tt24GAQiSURAAkt6Qqlbrsp4E22S6SKAbonKLy7qXS2/W
9YPDz9jhJmIvgmaou37+bmh7zn1gwLUq/JbGu0JDkhaVpD3XQdNYCAb0nYmqaUvE
JMMGiGM6GwmV2S19Jbbems7VRjrZ5zihFsjhWAvrlnEqRKPjPqcPdXqkwZh5JWSV
epjQiO5GSfxdMEckolwgPVOBVcQFomTir1nKsisozJPBfpHRie6VXp3GJu3YCpmp
gsn8gKeb2ER0A4j3I2cxijaR0kTI2M4r+AU7q+9TLE7Yj8pjdPVZvuXtd4a///R0
hust/6UxQ70aGDvDZznVYddYw1c85jD76rlfLVrOGV4stqMvh3ymPIRzy4nZ/6Mw
l4hv9kzmqE3R0Snc7T70iHYuGafPm6XEqpXzl8y7rJ8VjQwtNbEUNiCtdlsB2zwk
vu5mE1pZ1lhbv/SrDmXy4+esOLNeR1XXxlrqSSwsp9ECkXWYRJyigoVxXqQjk5Nx
zWdjDBz7MZCArCIMV33/RYQrQgzb1C0aGM4261ba5n+5E3QEUsE4QsNNLt7WgS/4
RHQ51v3jkU78jF2cE0CfueMqCAyqluMQiJ225wWi5FlOrPyNAKGWRIixWzeZz95h
cVns5XxoylUCno1U5qzRKMIr8Jxbod/DwS9CABxn3f3vhCi8mxuuoRdZQRyq6rSG
p8Xc+5Htldw=
=kNTr
-----END PGP SIGNATURE-----