Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2671 Vulnerabilities in OpenSSH affect AIX (CVE-2018-20685 CVE-2018-6109 CVE-2018-6110 CVE-2018-6111) Security Bulletin 18 July 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenSSH Publisher: IBM Operating System: AIX Impact/Access: Overwrite Arbitrary Files -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-6111 CVE-2019-6110 CVE-2019-6109 CVE-2018-20685 CVE-2018-6111 CVE-2018-6110 CVE-2018-6109 Reference: ESB-2019.2141 ESB-2019.1420 ESB-2019.1270 ESB-2019.1255 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10872060 - --------------------------BEGIN INCLUDED TEXT-------------------- Vulnerabilities in OpenSSH affect AIX (CVE-2018-20685 CVE-2018-6109 CVE-2018-6110 CVE-2018-6111) Product: AIX family Software version: 7.1, 7.2 Operating system(s): AIX Reference #: 0872060 Security Bulletin Summary Vulnerabilities in OpenSSH affect AIX. Vulnerability Details CVEID: CVE-2019-6109 DESCRIPTION: OpenSSH could allow a remote attacker to conduct spoofing attacks, caused by missing character encoding in the progress display. A man-in-the-middle attacker could exploit this vulnerability to spoof scp client output. CVSS Base Score: 3.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 155488 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N) CVEID: CVE-2019-6110 DESCRIPTION: OpenSSH could allow a remote attacker to conduct spoofing attacks, caused by accepting and displaying arbitrary stderr output from the scp server. A man-in-the-middle attacker could exploit this vulnerability to spoof scp client output. CVSS Base Score: 3.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 155487 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N) CVEID: CVE-2019-6111 DESCRIPTION: OpenSSH could allow a remote attacker to overwrite arbitrary files on the system, caused by missing received object name validation by the scp client. The scp implementation accepts arbitrary files sent by the server and a man-in-the-middle attacker could exploit this vulnerability to overwrite unrelated files. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 155486 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N) CVEID: CVE-2018-20685 DESCRIPTION: OpenSSH could allow a remote attacker to bypass security restrictions, caused by directory name validation by scp.c in the scp client. A man-in-the-middle attacker could exploit this vulnerability using the filename of . or an empty filename to bypass access restrictions and modify permissions of the target directory. CVSS Base Score: 7.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 155484 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) Affected Products and Versions +---------------------+----+ |Affected IBM Product |VRMF| +---------------------+----+ |AIX |7.1 | +---------------------+----+ |AIX |7.2 | +---------------------+----+ |VIOS |2.2 | +---------------------+----+ |VIOS |3.1 | +---------------------+----+ The following fileset levels are vulnerable: +-------------------+-----------+------------+ |Fileset |Lower Level|Upper Level | +-------------------+-----------+------------+ |openssh.base.client|4.0.0.5200 |7.5.102.1600| +-------------------+-----------+------------+ |openssh.base.server|4.0.0.5200 |7.5.102.1600| +-------------------+-----------+------------+ Note: To determine if your system is vulnerable, execute the following commands: lslpp -L | grep -i openssh.base.client lslpp -L | grep -i openssh.base.server Remediation/Fixes FIXES A fix is available for CVE-2018-20685, CVE-2019-6109, and CVE-2019-6111. +-------+----+----------------------------------------------------------------+ |Product|VRMF|Remediation/First Fix | +-------+----+----------------------------------------------------------------+ |AIX |7.1 |https://www-01.ibm.com/marketing/iwm/iwm/web/pickUrxNew.do | | | |source=aixbp&S_PKG=openssh | +-------+----+----------------------------------------------------------------+ |AIX |7.2 |https://www-01.ibm.com/marketing/iwm/iwm/web/pickUrxNew.do | | | |source=aixbp&S_PKG=openssh | +-------+----+----------------------------------------------------------------+ |VIOS |2.2 |https://www-01.ibm.com/marketing/iwm/iwm/web/pickUrxNew.do | | | |source=aixbp&S_PKG=openssh | +-------+----+----------------------------------------------------------------+ |VIOS |3.1 |https://www-01.ibm.com/marketing/iwm/iwm/web/pickUrxNew.do | | | |source=aixbp&S_PKG=openssh | +-------+----+----------------------------------------------------------------+ Please see the WORKAROUNDS AND MITIGATIONS section for mitigation steps in response to CVE-2019-6110. To extract the fixes from the tar file: zcat openssh-7.5.102.1800.tar.Z | tar xvf Please refer to the Readme file to be aware of the changes that are part of the release. IMPORTANT: If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding. Note that all the previously reported security vulnerability fixes are also included in above mentioned fileset level. Please refer to the readme file (provided along with the fileset) for the complete list of vulnerabilities fixed. To preview the fix installation: installp -apYd . openssh To install the fix package: installp -aXYd . openssh Published advisory OpenSSH signature file location: http://aix.software.ibm.com/aix/efixes/security/openssh_advisory13.asc.sig https://aix.software.ibm.com/aix/efixes/security/openssh_advisory13.asc.sig ftp://aix.software.ibm.com/aix/efixes/security/openssh_advisory13.asc.sig openssl dgst -sha1 -verify [pubkey_file] -signature [advisory_file].sig [advisory_file] openssl dgst -sha1 -verify [pubkey_file] -signature [ifix_file].sig [ifix_file] Workarounds and Mitigations The potential impact of CVE-2019-6110 may be mitigated by using the sftp command in place of the scp command. AIX Security Bulletin (ASCII format) Acknowledgement None. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXS/PsWaOgq3Tt24GAQiSURAAkt6Qqlbrsp4E22S6SKAbonKLy7qXS2/W 9YPDz9jhJmIvgmaou37+bmh7zn1gwLUq/JbGu0JDkhaVpD3XQdNYCAb0nYmqaUvE JMMGiGM6GwmV2S19Jbbems7VRjrZ5zihFsjhWAvrlnEqRKPjPqcPdXqkwZh5JWSV epjQiO5GSfxdMEckolwgPVOBVcQFomTir1nKsisozJPBfpHRie6VXp3GJu3YCpmp gsn8gKeb2ER0A4j3I2cxijaR0kTI2M4r+AU7q+9TLE7Yj8pjdPVZvuXtd4a///R0 hust/6UxQ70aGDvDZznVYddYw1c85jD76rlfLVrOGV4stqMvh3ymPIRzy4nZ/6Mw l4hv9kzmqE3R0Snc7T70iHYuGafPm6XEqpXzl8y7rJ8VjQwtNbEUNiCtdlsB2zwk vu5mE1pZ1lhbv/SrDmXy4+esOLNeR1XXxlrqSSwsp9ECkXWYRJyigoVxXqQjk5Nx zWdjDBz7MZCArCIMV33/RYQrQgzb1C0aGM4261ba5n+5E3QEUsE4QsNNLt7WgS/4 RHQ51v3jkU78jF2cE0CfueMqCAyqluMQiJ225wWi5FlOrPyNAKGWRIixWzeZz95h cVns5XxoylUCno1U5qzRKMIr8Jxbod/DwS9CABxn3f3vhCi8mxuuoRdZQRyq6rSG p8Xc+5Htldw= =kNTr -----END PGP SIGNATURE-----