-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.0478
                     Vulnerabilities in NTP affect AIX
                             21 February 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           NTP
Publisher:         IBM
Operating System:  AIX
Impact/Access:     Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-9311 CVE-2016-9310 CVE-2016-7428
                   CVE-2016-7427  

Reference:         ESB-2017.0354
                   ESB-2017.0109
                   ESB-2017.0030
                   ESB-2016.3091
                   ESB-2016.2803.2

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=swg

- --------------------------BEGIN INCLUDED TEXT--------------------

- ------------------------------------------------------------------------------
1.  AIX 5.3

- - TITLE: Vulnerabilities in NTP affect AIX
- - URL: http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq?mode=18&ID=5262&myns=aix&mynp=OCOE607&mync=E&cm_sp=aix-_-OCOE607-_-E
- - ABSTRACT: IBM SECURITY ADVISORY

First Issued: Mon Feb 13 15:32:47 CST 2017
Updated:Fri Feb 17 18:40:29 CST 2017 
Update: New iFixes provided for NTPv3 in AIX 5.3.12.9,6.1.9.6,
6.1.9.8,7.1.3.5,7.1.3.6,7.1.3.7,7.1.3.8,7.1.4.3,7.2.0.0,7.2.0.2
7.2.1.0,7.2.1.1 and VIOS 2.2.4.x.

The most recent version of this document is available here:

http://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc
https://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc
ftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc

Security Bulletin:  Vulnerabilities in NTP affect AIX
CVE-2016-7427 CVE-2016-7428 CVE-2016-9310 CVE-2016-9311 

===============================================================================

SUMMARY:

There are multiple vulnerabilities in NTPv3 and NTPv4 that impact AIX. 


===============================================================================

VULNERABILITY DETAILS:

NTPv3 and NTPv4 are vulnerable to:

CVEID: CVE-2016-7427
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7427 
DESCRIPTION: NTP is vulnerable to a denial of service, caused by an error
in broadcast mode replay prevention functionality. By sending specially 
crafted NTP packets, a local attacker could exploit this vulnerability to 
cause a denial of service.
CVSS Base Score: 4
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/119088 for more
information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-7428 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7428
DESCRIPTION: NTP is vulnerable to a denial of service, caused by an error 
in broadcast mode poll interval enforcement functionality. By sending 
specially crafted NTP packets, a remote attacker from within the local 
network could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 4.3 
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/119089 for more
information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-9310
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9310
DESCRIPTION: NTP is vulnerable to a denial of service, caused by an error 
in the control mode (mode 6) functionality. By sending specially crafted 
control mode packets, a remote attacker could exploit this vulnerability 
to obtain sensitive information and cause the application to crash.
CVSS Base Score: 6.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/119087 for more
information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)

CVEID: CVE-2016-9311
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9311
DESCRIPTION: NTP is vulnerable to a denial of service, caused by a NULL 
pointer dereference when trap service has been enabled. By sending specially

crafted packets, a remote attacker could exploit this vulnerability to
cause
the application to crash. 
CVSS Base Score: 4.4
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/119086 for more
information.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H)

AFFECTED PRODUCTS AND VERSIONS:

AIX  5.3, 6.1, 7.1, 7.2
VIOS 2.2

The following fileset levels are vulnerable:

key_fileset = aix

For NTPv3:

Fileset             Lower Level  Upper Level   KEY
- -----------------------------------------------------
bos.net.tcp.client   5.3.12.0     5.3.12.10   key_w_fs
bos.net.tcp.client   6.1.9.0      6.1.9.200   key_w_fs
bos.net.tcp.client   7.1.3.0      7.1.3.48    key_w_fs
bos.net.tcp.client   7.1.4.0      7.1.4.30    key_w_fs
bos.net.tcp.ntp      7.2.0.0      7.2.0.2     key_w_fs
bos.net.tcp.ntp      7.2.1.0      7.2.1.0     key_w_fs
bos.net.tcp.ntpd     7.2.0.0      7.2.0.2     key_w_fs
bos.net.tcp.ntpd     7.2.1.0      7.2.1.0     key_w_fs

For NTPv4:

Fileset             Lower Level  Upper Level KEY 
- -----------------------------------------------------
ntp.rte             6.1.6.0      6.1.6.7     key_w_fs
ntp.rte             7.1.0.0      7.1.0.7     key_w_fs        

Note: To find out whether the affected filesets are installed 
on your systems, refer to the lslpp command found in AIX user's
guide.

Example:  lslpp -L | grep -i ntp.rte 

REMEDIATION:

A. APARS

IBM has assigned the following APARs to this problem:

For NTPv3:

AIX Level APAR     Availability  SP   KEY
- ------------------------------------------------
5.3.12    IV92194  NA                 key_w_apar
6.1.9     IV91803  **            SP9  key_w_apar
7.1.3     IV92193  **            SP9  key_w_apar
7.1.4     IV91951  **            SP4  key_w_apar
7.2.0     IV92192  **            SP4  key_w_apar
7.2.1     IV92067  **            SP2  key_w_apar

For NTPv4:

AIX Level APAR     Availability  SP   KEY
- ------------------------------------------------
6.1.9     IV92287  **           SP9  key_w_apar
7.1.3     IV92126  **           SP9  key_w_apar
7.1.4     IV92126  **           SP4  key_w_apar
7.2.0     IV92126  **           SP4  key_w_apar 
7.2.1     IV92126  **           SP2  key_w_apar

** Please refer to AIX support lifecycle information page for
availability
of Service Packs:
http://www-01.ibm.com/support/docview.wss?uid=isg3T1012517

Subscribe to the APARs here:

http://www.ibm.com/support/docview.wss?uid=isg1IV91803
http://www.ibm.com/support/docview.wss?uid=isg1IV91951
http://www.ibm.com/support/docview.wss?uid=isg1IV92192
http://www.ibm.com/support/docview.wss?uid=isg1IV92287
http://www.ibm.com/support/docview.wss?uid=isg1IV92126
http://www.ibm.com/support/docview.wss?uid=isg1IV92194
http://www.ibm.com/support/docview.wss?uid=isg1IV92193
http://www.ibm.com/support/docview.wss?uid=isg1IV92067

https://www.ibm.com/support/docview.wss?uid=isg1IV91803
https://www.ibm.com/support/docview.wss?uid=isg1IV91951
https://www.ibm.com/support/docview.wss?uid=isg1IV92192
https://www.ibm.com/support/docview.wss?uid=isg1IV92287
https://www.ibm.com/support/docview.wss?uid=isg1IV92126
https://www.ibm.com/support/docview.wss?uid=isg1IV92194
https://www.ibm.com/support/docview.wss?uid=isg1IV92193
https://www.ibm.com/support/docview.wss?uid=isg1IV92067

By subscribing, you will receive periodic email alerting you
to the status of the APAR, and a link to download the fix once
it becomes available.

B. FIXES

Fixes are available.

The fixes can be downloaded via ftp or http from:

ftp://aix.software.ibm.com/aix/efixes/security/ntp_fix8.tar
http://aix.software.ibm.com/aix/efixes/security/ntp_fix8.tar
https://aix.software.ibm.com/aix/efixes/security/ntp_fix8.tar 

The links above are to a tar file containing this signed
advisory, interim fixes, and OpenSSL signatures for each interim
fix.
The fixes below include prerequisite checking. This will
enforce the correct mapping between the fixes and AIX
Technology Levels.

For NTPv3:

AIX Level  Interim Fix (*.Z)         KEY
- ----------------------------------------------
5.3.12.9   IV92194m9a.170113.epkg.Z  key_w_fix
6.1.9.6    IV91803m6a.170112.epkg.Z  key_w_fix   
6.1.9.7    IV91803m6a.170112.epkg.Z  key_w_fix
6.1.9.8    IV91803m6a.170112.epkg.Z  key_w_fix
7.1.3.5    IV92193m5a.170112.epkg.Z  key_w_fix
7.1.3.6    IV92193m5a.170112.epkg.Z  key_w_fix
7.1.3.7    IV92193m5a.170112.epkg.Z  key_w_fix
7.1.3.8    IV92193m5a.170112.epkg.Z  key_w_fix
7.1.4.1    IV91951m3a.170113.epkg.Z  key_w_fix
7.1.4.2    IV91951m3a.170113.epkg.Z  key_w_fix
7.1.4.3    IV91951m3a.170113.epkg.Z  key_w_fix
7.2.0.0    IV92192m2a.170112.epkg.Z  key_w_fix
7.2.0.1    IV92192m2a.170112.epkg.Z  key_w_fix
7.2.0.2    IV92192m2a.170112.epkg.Z  key_w_fix
7.2.1.0    IV92067s1a.170112.epkg.Z  key_w_fix
7.2.1.1    IV92067s1a.170112.epkg.Z  key_w_fix

VIOS Level  Interim Fix (*.Z)         KEY
- -----------------------------------------------
2.2.4.2x    IV91803m6a.170112.epkg.Z  key_w_fix

For NTPv4:

AIX Level  Interim Fix (*.Z)         KEY
- ----------------------------------------------
6.1.x      IV92287m5a.170113.epkg.Z  key_w_fix
7.1.x      IV92126m3a.170106.epkg.Z  key_w_fix
7.2.x      IV92126m3a.170106.epkg.Z  key_w_fix

All fixes included are cumulative and address previously
issued AIX NTP security bulletins with respect to SP and TL. 

To extract the fixes from the tar file:

tar xvf ntp_fix8.tar
cd ntp_fix8

Verify you have retrieved the fixes intact:

The checksums below were generated using the
"openssl dgst -sha256 [filename]" command as the following:

openssl dgst -sha256               
filename   KEY
- ----------------------------------------------------------
70044311eab50e798b1a0756b8f7fef368b65ae79c03496c1fbcf5ba8da7b176 
IV91803m6a.170112.epkg.Z key_w_csum
8ef346dbd1d7f3d8e9c03b21fa6e2cd1dca88de9d0951675a4787f34bf892f30
IV91951m3a.170113.epkg.Z key_w_csum
f6105a97e957651e8a464cfd6edd0ad50a74ba9dffb974925612f68d21fa7857  
IV92192m2a.170112.epkg.Z key_w_csum
f1ab705600cc8b08dd11a6e12d1b32a2ec89b988557502ffffd6c06dd53936b9  
IV92287m5a.170113.epkg.Z key_w_csum
57c9db9c53098f21e837a407e2b2dead1c1c754d44812eb0392d050e697ae2bd 
IV92126m3a.170106.epkg.Z key_w_csum
f8d9c43a2ae724a7a1e69caab5973aed0bb4b6ddc72bc57d038fad6faa680fa1  
IV92194m9a.170113.epkg.Z key_w_csum
558db7a325e5d6733bac66f9b01a9dee4a93826163a50992ee99c1cb9f7dfe70 
IV92193m5a.170112.epkg.Z key_w_csum
eee9aec25443fa496168f7c4cfb289dbfaeed96c8be0fc3cb57b888733e4f9d4 
IV92067s1a.170112.epkg.Z key_w_csum

These sums should match exactly. The OpenSSL signatures in the tar
file and on this advisory can also be used to verify the
integrity of the fixes.  If the sums or signatures cannot be
confirmed, contact IBM AIX Security at
security-alert@austin.ibm.com and describe the discrepancy.

openssl dgst -sha1 -verify [pubkey_file] -signature
[advisory_file].sig [advisory_file]

openssl dgst -sha1 -verify [pubkey_file] -signature [ifix_file].sig
[ifix_file]

Published advisory OpenSSL signature file location:

http://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc.sig

https://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc.sig
ftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc.sig

C. FIX AND INTERIM FIX INSTALLATION

IMPORTANT: If possible, it is recommended that a mksysb backup
of the system be created.  Verify it is both bootable and
readable before proceeding.

The fix will not take affect until any running xntpd servers
have been stopped and restarted with the  following commands:

stopsrc -s xntpd
startsrc -s xntpd

To preview a fix installation:

installp -a -d fix_name -p all  # where fix_name is the name of the
# fix package being previewed.
To install a fix package:

installp -a -d fix_name -X all  # where fix_name is the name of the
# fix package being installed.

After installation the ntp daemon must be restarted:

stopsrc -s xntpd
startsrc -s xntpd

Interim fixes have had limited functional and regression
testing but not the full regression testing that takes place
for Service Packs; however, IBM does fully support them.

Interim fix management documentation can be found at:

http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html

To preview an interim fix installation:

emgr -e ipkg_name -p         
# where ipkg_name is the name of the
# interim fix package being previewed.

To install an interim fix package:

emgr -e ipkg_name -X         
# where ipkg_name is the name of the
# interim fix package being installed.

WORKAROUNDS AND MITIGATIONS:

None.

===============================================================================

CONTACT US:

Note: Keywords labeled as KEY in this document are used for parsing
purposes.

If you would like to receive AIX Security Advisories via email,
please visit "My Notifications":

http://www.ibm.com/support/mynotifications
https://www.ibm.com/support/mynotifications

To view previously issued advisories, please visit:

http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq
https://www14.software.ibm.com/webapp/set2/subscriptions/onvdq

Comments regarding the content of this announcement can be
directed to:

security-alert@austin.ibm.com

To obtain the OpenSSL public key that can be used to verify the
signed advisories and ifixes:

Download the key from our web page:

http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt
https://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt

To obtain the PGP public key that can be used to communicate
securely with the AIX Security Team via security-alert@austin.ibm.com you
can either:

A. Download the key from our web page:

http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt
https://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt

B. Download the key from a PGP Public Key Server. The key ID is:

0x28BFAA12

Please contact your local IBM AIX support center for any
assistance.

REFERENCES:

Complete CVSS v3 Guide:  http://www.first.org/cvss/user-guide
https://www.first.org/cvss/user-guide
On-line Calculator v3:
http://www.first.org/cvss/calculator/3.0
https://www.first.org/cvss/calculator/3.0

ACKNOWLEDGEMENTS:

None 

CHANGE HISTORY:

First Issued: Mon Feb 13 15:32:47 CST 2017
Updated:Fri Feb 17 18:40:29 CST 2017
Update: New iFixes provided for NTPv3 in AIX 5.3.12.9,6.1.9.6,
6.1.9.8,7.1.3.5,7.1.3.6,7.1.3.7,7.1.3.8,7.1.4.3,7.2.0.0,7.2.0.2
7.2.1.0,7.2.1.1 and VIOS 2.2.4.x.

===============================================================================

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact 
of this vulnerability in their environments by accessing the links in the 
Reference section of this Security Bulletin. 

Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the 
Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- ------------------------------------------------------------------------------

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWKvf+4x+lLeg9Ub1AQi6fxAAnkP8G7TzxpjsmN6VU0peUlWaIwqfum3r
TjC5GfnDoDeBxtNb3Ohqo2bVpddNPOzJQYDdEFHz9YOF+/wbK+hg8UhTsfT9NkGm
SlmOMVtcOL7wTwdrVv9EXqzHBE4BTaGe2QKV+fIwjUWtpRd8SdY91JtFMitKHn30
M4WQaC0Yyyoa11bH3Oob/5MM6rtSBtad44RBZdFzYApVbdjj66wvIB5G4tu8hZPe
rCs4bVnzrKlYtb4O/znsS+puLg8Nx6uxsc17bI/pRryGIUROqZvzvle7uZ9r0z0+
cFqraTfWkxGjKeZYLZHhnUcNJp1ftM+06nCsJT9095ruuqNzCmFATgypljR44vWh
o6g/qazoHbmCDaz1rFFDBHuLChNPmgTUXiZS3Qt1Z3scfX7S+hc3gOc+FTc9b78J
HWRLIpaM709b2G5/+mvJopGEAF0ajDgtJYrPwuiFdEDVQcp886RSi4e4Az31N3t1
OL8luDYEtGohrKsaPCDhRsgSWI1qcoRktowqmmFYyerzMM9g2W6D3PEbBPzTA2/Q
HsuC0BG9EA4SYpUEIDyOSI91OXcnB38Z6y/bOQe9MsSze/k52OZ0pCe6lDqKrMrq
4I9Alxn7YgVaOphr7zqqIQpAoa2jXxAML4otPe9uePkZ6b/UajZ6FRi/RrCLQvsj
vmCDJPwnnf8=
=6paw
-----END PGP SIGNATURE-----