ESB-2019.0593 - [AIX] IBM AIX : Denial of service - Remote/unauthenticated 2019-02-27

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0593
        IBM Security Bulletin: Vulnerability in tcpdump affects AIX
                    (CVE-2018-19519) Security Bulletin
                             27 February 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM AIX
Publisher:         IBM
Operating System:  AIX
Impact/Access:     Denial of Service               -- Remote/Unauthenticated
                   Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-19519  

Reference:         ESB-2018.3906
                   ESB-2018.3885

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=ibm10873086

- --------------------------BEGIN INCLUDED TEXT--------------------

Vulnerability in tcpdump affects AIX (CVE-2018-19519)

Product:             AIX family

Software version:    7.1, 7.2

Operating system(s): AIX

Reference #:         0873086

Security Bulletin

Summary

There is a vulnerability in tcpdump that affects AIX.

Vulnerability Details

CVEID: CVE-2018-19519
DESCRIPTION: Tcpdump is vulnerable to a stack-based buffer overflow, caused by
improper bounds checking by the print_prefix function of print-hncp.c. By using
a specially-crafted packet data, a remote attacker could overflow a buffer and
execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
153314 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

AIX 7.1, 7.2
VIOS 2.2.x

The following fileset levels are vulnerable:

key_fileset = aix

Fileset Lower Level Upper Level KEY
- ---------------------------------------------------------
bos.net.tcp.server 6.1.9.0 6.1.9.400 key_w_fs
bos.net.tcp.server 7.1.4.0 7.1.4.34 key_w_fs
bos.net.tcp.server 7.1.5.0 7.1.5.31 key_w_fs
bos.net.tcp.tcpdump 7.2.1.0 7.2.1.3 key_w_fs
bos.net.tcp.tcpdump 7.2.2.0 7.2.2.16 key_w_fs
bos.net.tcp.tcpdump 7.2.3.0 7.2.3.15 key_w_fs

To find out whether the affected filesets are installed on your systems, refer
to the lslpp command found in AIX user's guide.

Example: lslpp -L | grep -i bos.net.tcp.server


Remediation/Fixes

A. APARS

IBM has assigned the following APARs to this problem:

AIX Level APAR Availability SP KEY
- -----------------------------------------------------
7.1.4 IJ12979 ** SP08-1914 key_w_apar
7.1.5 IJ12980 ** SP04-1913 key_w_apar
7.2.1 IJ12981 ** SP06-1914 key_w_apar
7.2.2 IJ12982 ** SP04-1914 key_w_apar
7.2.3 IJ12983 ** SP03-1913 key_w_apar

VIOS Level APAR Availability SP KEY
- ----------------------------------------------------
2.2.5 IJ12978 ** 2.2.5.60 key_w_apar
2.2.6 IJ12978 ** 2.2.6.40 key_w_apar
3.1.0 IJ12983 ** 3.1.0.20 key_w_apar

Subscribe to the APARs here:
http://www.ibm.com/support/docview.wssuid=isg1IJ12978
https://www.ibm.com/support/docview.wssuid=isg1IJ12979
https://www.ibm.com/support/docview.wssuid=isg1IJ12980
https://www.ibm.com/support/docview.wssuid=isg1IJ12981
https://www.ibm.com/support/docview.wssuid=isg1IJ12982
https://www.ibm.com/support/docview.wssuid=isg1IJ12983

By subscribing, you will receive periodic email alerting you to the status of
the APAR, and a link to download the fix once it becomes available.

B. FIXES

AIX fixes are available.

The AIX fixes can be downloaded via ftp or http from:
ftp://aix.software.ibm.com/aix/efixes/security/tcpdump_fix4.tar
http://aix.software.ibm.com/aix/efixes/security/tcpdump_fix4.tar
https://aix.software.ibm.com/aix/efixes/security/tcpdump_fix4.tar

The link above is to a tar file containing this signed advisory, fix packages,
and OpenSSL signatures for each package. The fixes below include prerequisite
checking. This will enforce the correct mapping between the fixes and AIX
Technology Levels.

AIX Level Interim Fix (*.Z) KEY
- ----------------------------------------------
7.1.4.7 IJ12979m7a.190205.epkg.Z key_w_fix
7.1.5.3 IJ12980m3a.190212.epkg.Z key_w_fix
7.2.1.5 IJ12981m5a.190225.epkg.Z key_w_fix
7.2.2.3 IJ12982m3a.190215.epkg.Z key_w_fix
7.2.3.2 IJ12983m2a.190215.epkg.Z key_w_fix

Please note that the above table refers to AIX TL/SP level as opposed to
fileset level, i.e., 7.2.2.3 is AIX 7200-02-03. Please reference the Affected
Products and Version section above for help with checking installed fileset
levels.

VIOS Level Interim Fix (*.Z) KEY
- -----------------------------------------------
2.2.5.40 IJ12978s9a.190215.epkg.Z key_w_fix
2.2.5.50 IJ12978s9a.190215.epkg.Z key_w_fix
2.2.6.21 IJ12978sBa.190215.epkg.Z key_w_fix
2.2.6.23 IJ12978sBa.190215.epkg.Z key_w_fix
2.2.6.32 IJ12978sCa.190215.epkg.Z key_w_fix
3.1.0.10 IJ12983m2a.190215.epkg.Z key_w_fix

To extract the fixes from the tar file:
tar xvf tcpdump_fix4.tar
cd tcpdump_fix4

Verify you have retrieved the fixes intact:

The checksums below were generated using the "openssl dgst -sha256 [filename]"
command as the following:

openssl dgst -sha256 filename KEY
- -----------------------------------------------------------------------------------------------------
959cc124a81763c57bd1c9576f8c180a581f7685a9b6ee17e517f9863dc5f7c7
IJ12979m7a.190215.epkg.Z key_w_csum
2e05ddb65cb649d7c68342573823c7aca9febbf55ac4e4b761c6cc3429f9c472
IJ12978s9a.190215.epkg.Z key_w_csum
819ab2731f480d654db43159adf92176726edbc9377769e0215461713c933714
IJ12978sBa.190215.epkg.Z key_w_csum
216fc77d43f0713873ccb0cc7b5f531216245e4eefc02ca07b56b763ddf0c5da
IJ12978sCa.190215.epkg.Z key_w_csum
0c0790166da0f92f198abfe50255a9282c458a8f3f8158b17660512e67de8003
IJ12980m3a.190212.epkg.Z key_w_csum
cae215ce40cf9bd51f4fbbdee172258a1b24143cf1004e30b102416b359a4a87
IJ12981m5a.190225.epkg.Z key_w_csum
1a8bbeed0a375739b133c317099ab938a43f670a355fd76f16641a640c7039d3
IJ12982m3a.190215.epkg.Z key_w_csum
b87249e90504d241f9359c66f16527e2cd73c1b50a05199d4968ad5a79f10af7
IJ12983m2a.190215.epkg.Z key_w_csum

These sums should match exactly. The OpenSSL signatures in the tar file and on
this advisory can also be used to verify the integrity of the fixes. If the
sums or signatures cannot be confirmed, contact IBM Support at http://ibm.com/
support/ and describe the discrepancy.

openssl dgst -sha1 -verify [pubkey_file] -signature [advisory_file].sig
[advisory_file]

openssl dgst -sha1 -verify [pubkey_file] -signature [ifix_file].sig [ifix_file]

Published advisory OpenSSL signature file location:
http://aix.software.ibm.com/aix/efixes/security/tcpdump_advisory4.asc.sig
https://aix.software.ibm.com/aix/efixes/security/tcpdump_advisory4.asc.sig
ftp://aix.software.ibm.com/aix/efixes/security/tcpdump_advisory4.asc.sig

C. FIX AND INTERIM FIX INSTALLATION

If possible, it is recommended that a mksysb backup of the system be created.
Verify it is both bootable and readable before proceeding.

To preview a fix installation:

installp -a -d fix_name -p all # where fix_name is the name of the
# fix package being previewed.

To install a fix package:

installp -a -d fix_name -X all # where fix_name is the name of the
# fix package being installed.

Interim fixes have had limited functional and regression testing but not the
full regression testing that takes place for Service Packs; however, IBM does
fully support them. Interim fix management documentation can be found at:
http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html

To preview an interim fix installation:

emgr -e ipkg_name -p # where ipkg_name is the name of the
# interim fix package being previewed.

To install an interim fix package:

emgr -e ipkg_name -X # where ipkg_name is the name of the
# interim fix package being installed.


Workarounds and Mitigations

None.

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

AIX Security Bulletin (ASCII format)

Acknowledgement

None.

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXHX3XWaOgq3Tt24GAQiIohAAscarsJs+VFLuMlzjQoakRP3XS/oOdMq3
9tsvt+YLhVFJ+KNp1yPM/cphimOGExk2nWGoPql/G+v37QibuPvVhCOJNYJKvYlg
g16FvA6mbjpGrj3X1h9k03wvWzD/OTlUfoIdvRePFFK0Cr9qND6q3YKdQL7FEMr1
ikbazZ0kcFCRsqZFsDF6nSzvVTvWABZ75yb/E8OmbJYSc768rcyt2bIpnHUPr98Y
Ag887bF1kVGEp/BV22E/QFNHLBtD8HPNT15UgSFCQEEHBKN/MjSoqvkwfHdc6Jku
4TS5M5BA10Bu3LAIwx1Abga/kQJjke+fNLsIyCDIORjzhbZie7Bj0TC4UcmJEYT9
ztxad51dwjoEgFHZYauEBL9wS/GJziWbJVJuiw1VtmNdYHvxIhw7Y7tf0JSEn5wc
F3CLAqSdeaKqEZfdPkBgaAzqjnMfNWbMNzh9Ku6rmTFR6nFyUm/RQEKAwumaQCdL
Q7XDpGnc57o6dSavY7mW3jIwC9vkLaWuIGcOXVIvBd8YMXdyMAB/Dt8PurgVAlnc
zdeCJ4GZ48xlnNjNv3vE757Vp6cLkrrVZwD/0VD0M9S3ZJoLnf5UigJPS7oQJ+0L
GPer2eHgyJ6D6R0V4Xi05e34JbnpGlR815nNT7k99FtfJgJKzWDkEFwUKuKi8Kic
ejTfmBjlkK0=
=pHbR
-----END PGP SIGNATURE-----

« Back to bulletins