ESB-2018.1344 - [AIX] IBM AIX: Denial of service - Remote with user interaction 2018-05-03

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1344
                   Vulnerability in OpenSSL affects AIX
                                3 May 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM AIX
Publisher:         IBM
Operating System:  AIX
Impact/Access:     Denial of Service -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-0739  

Reference:         ASB-2018.0095
                   ESB-2018.0896
                   ESB-2018.0932.2

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=isg3T1027517

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Vulnerability in OpenSSL affects AIX (CVE-2018-0739)


Document information

More support for: AIX family

Software version: 5.3, 6.1, 7.1, 7.2

Operating system(s): AIX

Reference #: T1027517

Modified date: 30 April 2018


Security Bulletin

Summary

There is a vulnerability in OpenSSL used by AIX.

Vulnerability Details

CVEID: CVE-2018-0739
DESCRIPTION: Constructed ASN.1 types with a recursive definition (such as can
be found in PKCS7) could eventually exceed the stack given malicious input with
excessive recursion. This could result in a Denial Of Service attack.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
140847 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

AIX 5.3, 6.1, 7.1, 7.2
VIOS 2.2.x

The following fileset levels are vulnerable:
        
Fileset          Lower Level   Upper Level    KEY
- ------------------------------------------------------
openssl.base    1.0.2.500      1.0.2.1300     key_w_fs
openssl.base    20.13.102.1000 20.13.102.1300 key_w_fs

       
Note:  

A. 0.9.8, 1.0.1 OpenSSL versions are out-of-support. Customers
are advised to upgrade to currently supported OpenSSL 1.0.2 version.

B. Latest level of OpenSSL fileset is available from the web download site:

https://www14.software.ibm.com/webapp/iwm/web/reg/download.do?source=aixbp&
lang=en_US&S_PKG=openssl&cp=UTF-8
  
To find out whether the affected filesets are installed on your systems,  refer
to the lslpp command found in the AIX user's guide.

Example:  lslpp -L | grep -i openssl.base

Remediation/Fixes

A. FIXES

The fixes can be downloaded via ftp or http from:

ftp://aix.software.ibm.com/aix/efixes/security/openssl_fix26.tar
http://aix.software.ibm.com/aix/efixes/security/openssl_fix26.tar
https://aix.software.ibm.com/aix/efixes/security/openssl_fix26.tar

The links above are to a tar file containing this signed advisory, fix
packages, and OpenSSL signatures for each package. The fixes below include
prerequisite checking. This will enforce the correct mapping between the fixes
and AIX Technology Levels.
            
Note that the tar file contains Interim fixes that are based on OpenSSL
version, and AIX OpenSSL fixes are cumulative. You must be on the 'prereq for
installation' level before applying the interim fix. This may require
installing a new level(prereq version) first.

AIX Level           Interim Fix (*.Z)         Fileset Name(prereq for installation) KEY
- ---------------------------------------------------------------------------------------
5.3, 6.1, 7.1, 7.2  102ma_ifix.180410.epkg.Z  openssl.base(1.0.2.1300)      key_w_fix
5.3, 6.1, 7.1, 7.2  fips_102ma.180410.epkg.Z  openssl.base(20.13.102.1300)  key_w_fix


VIOS Level     Interim Fix (*.Z)              Fileset Name(prereq for installation) KEY
- ---------------------------------------------------------------------------------------
2.2.*          102ma_ifix.180410.epkg.Z       openssl.base(1.0.2.1300)      key_w_fix
2.2.*          fips_102ma.180410.epkg.Z       openssl.base(20.13.102.1300)  key_w_fix

           
To extract the fixes from the tar file:

tar xvf openssl_fix26.tar
cd openssl_fix26

Verify you have retrieved the fixes intact:

The checksums below were generated using the "openssl dgst -sha256 file"
command as the following:

openssl dgst -sha256                                       
filename                  KEY
- -----------------------------------------------------------------
bfd40e466a6c7976fcf0cb46474087c550c043dc98b0be57689975388100bfdf 
102ma_ifix.180410.epkg.Z  key_w_csum

ee752e4a70cd46295141d7441a99e019db0391f6539881c5d185433dd0cd42ae 
fips_102ma.180410.epkg.Z  key_w_csum

These sums should match exactly. The OpenSSL signatures in the tar file and on
this advisory can also be used to verify the integrity of the fixes.  If the
sums or signatures cannot be confirmed, contact IBM AIX Support at https://
ibm.com/support/ and describe the discrepancy.
          
openssl dgst -sha1 -verify <pubkey_file> -signature <advisory_file>.sig <advisory_file>
openssl dgst -sha1 -verify <pubkey_file> -signature <ifix_file>.sig <ifix_file>

           
Published advisory OpenSSL signature file location:
 
http://aix.software.ibm.com/aix/efixes/security/openssl_advisory26.asc.sig
https://aix.software.ibm.com/aix/efixes/security/openssl_advisory26.asc.sig
ftp://aix.software.ibm.com/aix/efixes/security/openssl_advisory26.asc.sig 

       
B. FIX AND INTERIM FIX INSTALLATION

Interim fixes have had limited functional and regression testing but not the
full regression testing that takes place for Service Packs; however, IBM does
fully support them.

Interim fix management documentation can be found at:
 
http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html

           
To preview an interim fix installation:

emgr -e ipkg_name -p         # where ipkg_name is the name of the
                             # interim fix package being previewed.

To install an interim fix package:

emgr -e ipkg_name -X         # where ipkg_name is the name of the
                             # interim fix package being installed.

Workarounds and Mitigations

None.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2
Complete CVSS v3 Guide
On-line Calculator v3


Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
AIX Security Bulletin (ASCII format)


Acknowledgement

None.

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWupszox+lLeg9Ub1AQgBihAAqCJO8hsoU3tuSeHEoBjw5GjTt8oNFjPP
sAAM3T0S6ZulOQpe1qbPRAL3rwbnv8u0TC5u/tm6LC88F+bvrnK18xGdh5qC+ryT
U8PKEjqR6daUZmO9KCMNz8pCm3xa1a2IKoYfgWLHfTvgfVfh11zzDw5YaEAPTIVw
ExltJsUafJWEc4pCoQfPTlFUWFlF+traTrvqJZaIH13Iiyh5En81ywe2Ljhm29xx
7H7LyELTyv9OXstK+922CY2X/h7+Fz2HfLiM5n2AzMFBXPkEb1TzI2yx/+7nY3nh
xqTqzDI0+0DNBO7V7pRPFnMuyrzZz1ivtF71ORbVpOvbjblt0Rj+SS37w0h3jvUb
WGFUEMWa9R1sJxYkVbSB7tD6yW6elZigtWi+FUX1AqhBvVlLKKl22ECC06qNGGuv
eoAqs+zaEWmyfAFG4FSjgsQmUY+LHXayVDj9yb5rCV0UOiQ0bbERyIBhk0/EqV8R
jPtCx8zv9cZY85cJsQeM2RFGtCZ9OLOOmIHLhp6xT+hzShg783rzBG/G/9AD9T+0
y91s+YRHF9OaAFNQR1jtdjeFzTWa3ebxflJawStL4gCVq5HsnKJKJ/TdkaLYAm1N
4cL3h36/I2LRNKXyqdKNCKghMTgRfMetzHSybhNChPKPqDHFk1leAUSobB52b6f1
sCBHk2+8NsI=
=Dxh/
-----END PGP SIGNATURE-----

« Back to bulletins