AIX

 View Only

Using emgr_check_ifixes on AIX 7.3

By Chris Gibson posted Tue February 27, 2024 10:38 PM

  

Using emgr_check_ifixes on AIX 7.3

Using emgr_check_ifixes to automatically check for and download AIX security interim fixes.

If your AIX system has internet connectivity, you can use the emgr_check_ifixes tool to check for the availability of AIX security interim fixes (ifixes) for your current AIX operating system level. The tool can also download the fixes to your AIX host. It provides AIX administrators a convenient way to ensure their AIX systems have known security fixes installed.

The tool is included with AIX 7.2 and AIX 7.3. It is delivered with the bos.rte.install AIX fileset.

# which_fileset /usr/sbin/emgr_check_ifixes

/usr/sbin/emgr_check_ifixes             bos.rte.install 7.3.0.0

There’s also the companion tool, emgr_download_ifix, which can be used to download specific security ifixes.

# which_fileset /usr/sbin/emgr_download_ifix

/usr/sbin/emgr_download_ifix            bos.rte.install 7.3.0.0

Here are some examples of using the tool on an AIX system with internet access. All testing was performed on an AIX LPAR running AIX 7.3 TL2 SP1.

# oslevel -s

7300-02-01-2346

In this example we will check for any available security ifixes for our AIX system. The tool reports that there are none available to download and install for our current AIX level.

# emgr_check_ifixes

Gathering system information

+-----------------------------------------------------------------------------+

p0.mtm=8284-22A

p0.fw=SV860_212

p0.parnm=mercury

p0.os=aix

p0.aix=7300-02-01-2346

+-----------------------------------------------------------------------------+

Checking interim fixes on the system ...

+-----------------------------------------------------------------------------+

There is no efix data on this system.

Searching for AIX security fixes ...

+-----------------------------------------------------------------------------+

No AIX security fixes are required at this time ...

#

Next we will, again, check for any security ifixes that might be available for our AIX system. In this example several ifixes were found that are NOT installed on my AIX host. The tool displays a list of each of the security fixes that are available for my AIX host, but they are not downloaded to the host.

# emgr_check_ifixes

Gathering system information

+-----------------------------------------------------------------------------+

p0.mtm=8284-22A

p0.fw=SV860_212

p0.parnm=apollo

p0.os=aix

p0.aix=7300-02-01-2346

+-----------------------------------------------------------------------------+

Checking interim fixes on the system ...

+-----------------------------------------------------------------------------+

ID  STATE LABEL      INSTALL TIME      UPDATED BY ABSTRACT

====== ================ ================= ========== ======================================

1    S    IJ49378m1d 02/06/24 23:23:27            IJ49378 EFIXTOOLS MULTI-FIX

Searching for AIX security fixes ...

+-----------------------------------------------------------------------------+

Recommended ifixes, please wait..parsing

===============================================================================

38408m9a        AIX is vulnerable to unauthorized file access and arbitrary code execution due to OpenSSH        https://aix.software.ibm.com/aix/efixes/security/openssh_fix15.tar

CVE-2023-5363   AIX is vulnerable to a denial of service (CVE-2023-5678 CVE-2023-6129 CVE-2023-6237) and an attacker may obtain sensitive information (CVE-2023-5363) due to OpenSSL     https://aix.software.ibm.com/aix/efixes/security/openssl_fix40.tar

curl7791mb      Multiple vulnerabilities in cURL libcurl affect AIX      https://aix.software.ibm.com/aix/efixes/security/curl_fix3.tar

Vulnerability fixes are not downloaded

#

Finally, we check for security ifixes, and again, there are several security ifixes found that are NOT installed on my AIX host. By specifying the -D flag we have chosen to automatically download the required fixes to the host (in /tmp/ifix_ ${PID}, the default location).

# emgr_check_ifixes -D

Gathering system information

+-----------------------------------------------------------------------------+

p0.mtm=8284-22A

p0.fw=SV860_212

p0.parnm=apollo

p0.os=aix

p0.aix=7300-02-01-2346

+-----------------------------------------------------------------------------+

Checking interim fixes on the system ...

+-----------------------------------------------------------------------------+

ID  STATE LABEL      INSTALL TIME      UPDATED BY ABSTRACT

====== ================ ================= ========== ======================================

1    S    IJ49378m1d 02/06/24 23:23:27            IJ49378 EFIXTOOLS MULTI-FIX

Searching for AIX security fixes ...

+-----------------------------------------------------------------------------+

Recommended ifixes, please wait..parsing

===============================================================================

38408m9a        AIX is vulnerable to unauthorized file access and arbitrary code execution due to OpenSSH        https://aix.software.ibm.com/aix/efixes/security/openssh_fix15.tar

CVE-2023-5363   AIX is vulnerable to a denial of service (CVE-2023-5678 CVE-2023-6129 CVE-2023-6237) and an attacker may obtain sensitive information (CVE-2023-5363) due to OpenSSL     https://aix.software.ibm.com/aix/efixes/security/openssl_fix40.tar

curl7791mb      Multiple vulnerabilities in cURL libcurl affect AIX      https://aix.software.ibm.com/aix/efixes/security/curl_fix3.tar

Downloading 1 of 3 ...

Downloading fix: https://aix.software.ibm.com/aix/efixes/security/openssh_fix15.tar

+-----------------------------------------------------------------------------+

Performing certificate verification ...

OpenSSL success!

Interim fix openssh_fix15.tar has been downloaded to /tmp/ifix_15466784 directory.

+-----------------------------------------------------------------------------+

Downloading 2 of 3 ...

Downloading fix: https://aix.software.ibm.com/aix/efixes/security/openssl_fix40.tar

+-----------------------------------------------------------------------------+

Performing certificate verification ...

OpenSSL success!

Interim fix openssl_fix40.tar has been downloaded to /tmp/ifix_15466784 directory.

+-----------------------------------------------------------------------------+

Downloading 3 of 3 ...

Downloading fix: https://aix.software.ibm.com/aix/efixes/security/curl_fix3.tar

+-----------------------------------------------------------------------------+

Performing certificate verification ...

OpenSSL success!

Interim fix curl_fix3.tar has been downloaded to /tmp/ifix_15466784 directory.

+-----------------------------------------------------------------------------+

#

The ifixes are downloaded to the /tmp/ifix_15466784 directory, on the AIX host.

# ls -ltr /tmp/ifix_15466784

total 303424

-rw-r--r--    1 root     system         1865 Feb 27 21:52 ssl_connection_flrt.log

-rw-r--r--    1 root     system         9641 Feb 27 21:53 adv_file

-rw-r--r--    1 root     system          256 Feb 27 21:53 adv_file.sig

-rw-r--r--    1 root     system     27258880 Feb 27 21:53 openssh_fix15.tar

-rw-r--r--    1 root     system    125890560 Feb 27 21:53 openssl_fix40.tar

-rw-r--r--    1 root     system      2181120 Feb 27 21:54 curl_fix3.tar

Additionally, if desired, the emgr_download_ifix tool can be used to download a specific fix. For example, to download the ntp_fix14.tar fix to my current directory:

# emgr_download_ifix -L https://aix.software.ibm.com/aix/efixes/security/ntp_fix14.tar -P .

Downloading fix: https://aix.software.ibm.com/aix/efixes/security/ntp_fix14.tar

+-----------------------------------------------------------------------------+

Performing certificate verification ...

OpenSSL success!

Interim fix ntp_fix14.tar has been downloaded to . directory.

+-----------------------------------------------------------------------------+

#

# ls -ltr ntp_fix14.tar

-rw-r--r--    1 root     system      8355840 Feb 27 21:57 ntp_fix14.tar

Please note that all our testing was done with an additional ifix installed for the emgr_* tools. The necessary ifix is IJ49378m1d, as shown below. You can obtain this ifix from the IBM AIX support team by opening a new support case and requesting the fix for your specific AIX version and level.

# emgr -l

ID  STATE LABEL      INSTALL TIME      UPDATED BY ABSTRACT

====== ================ ================= ========== ======================================

1    S    IJ49378m1d 02/06/24 23:23:27            IJ49378 EFIXTOOLS MULTI-FIX

STATE codes:

 S = STABLE

 M = MOUNTED

 U = UNMOUNTED

 Q = REBOOT REQUIRED

 B = BROKEN

 I = INSTALLING

 R = REMOVING

 T = TESTED

 P = PATCHED

 N = NOT PATCHED

 SP = STABLE + PATCHED

 SN = STABLE + NOT PATCHED

 QP = BOOT IMAGE MODIFIED + PATCHED

 QN = BOOT IMAGE MODIFIED + NOT PATCHED

 RQ = REMOVING + REBOOT REQUIRED

# emgr -lv3 | tail -18

APAR information:

=================

APAR number:      IJ49378

APAR abstract:    crl download fails after change in certificate server

APAR number:      IJ49379

APAR abstract:    emgr_download_ifix fails with ssl connection failed

APAR number:      IJ49220

APAR abstract:    default download path of emgr_check_ifixes is /tmp/ifix

Description:

============

IJ49378 - crl download fails after change in certificate server

IJ49379 - emgr_download_ifix fails with ssl connection failed

IJ49220 - default download path of emgr_check_ifixes is /tmp/ifix

Please refer to the command reference links (below) for more information on these tools.

emgr_check_ifixes Command

https://www.ibm.com/docs/en/aix/7.3?topic=e-emgr-check-ifixes-command

emgr_download_ifix Command

https://www.ibm.com/docs/en/aix/7.2?topic=e-emgr-download-ifix-command

9 comments
71 views

Permalink

Comments

Joerg Kauke
Thu March 21, 2024 05:43 AM

Hi Chris,

I tested your openssl command and found out, I have to give the "-proxy" option the openssl.
Now I adapted the "emgr_check_ifixes" script and pasted our proxy into the openssl command where ever needed.
But now  it failes here:
ERROR: failed to download CRL from crl3.digicert.com

Have to check with our network security team.
Thanks for your support...

Update:
We checked further now.
The error above comes from a certificate error for https://crl3.digicert.com
the command that seems to be the problem is:
/usr/bin/openssl s_client -proxy proxy.coop.ch:3128 -tls1_2 -quiet -connect crl3.digicert.com:443

The crl_url thats used to get the crl_hostname is:
curl_url=http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl

Why does the openssl command then using "443" when the crl_url does not?
Even in my browser i see this error:
NET::ERR_CERT_COMMON_NAME_INVALID

I check further with IBM in case: TS015648005

Chris Gibson
Thu March 21, 2024 01:37 AM

Hi Joerg, this error, "connect:errno=78", leads me to suspect there might be some sort of network connectivity issue in your environment. Try running these commands:

openssl s_client -connect esupport.ibm.com:443
openssl s_client -connect aix.software.ibm.com:443


If they fail to return good data, then I'd assume your AIX host doesn't have "direct" access to the Internet and you may need to discuss with your network team.

Joerg Kauke
Wed March 20, 2024 06:29 AM

Hi Chris,

I requested the fix from IBM support and sent a snap.
After a while they sent me IJ46392 EFIXTOOLS MULTI-FIX which includes:

APAR information:
=================
 
APAR number:      IJ46392
APAR abstract:    crl download fails after change in certificate server
 
APAR number:      IJ50118
APAR abstract:    the default download path of emgr_check_ifixes is /tmp/ifix
 
APAR number:      IJ50402
APAR abstract:    emgr_download_ifix fails with ssl connection failed


Hopefully IJ50402 is the pendent to what you requested to install. Can't find any information about this apar.

Kind regards,
Joerg



Chris Gibson
Wed March 20, 2024 05:36 AM

Hi Joerg, have you installed the ifix, IJ49378m1d?

Joerg Kauke
Wed March 20, 2024 04:48 AM

Hello Chris,

After I got the ifix from IBM and installed it, the same error occurs.

I now found some time to check further.
I have to give openssl the proxy directly with the "-proxy" option.
The emgr_check_ifixes script dosen't have a option to give a proxy...
Do you have any other idea to solve this?

Kind regards,
Joerg

Chris Gibson
Thu March 07, 2024 02:37 AM

Hi Joerg, you'll need to install the ifix I mention in the post, IJ49378m1d. You can obtain this ifix from the IBM AIX support team by opening a new support case and requesting the fix for your specific AIX version and level. Thanks for your comment.

Joerg Kauke
Thu March 07, 2024 01:33 AM

Hello Chris,

thanks for sharing this. Unfortunately I got a connection time out on our systems.

svrseng3-0:/root#/usr/sbin/emgr_check_ifixes
Gathering system information
+-----------------------------------------------------------------------------+
p0.mtm=9223-22H
p0.fw=VL950_131
p0.parnm=svrseng3-0
p0.os=aix
p0.aix=7300-02-01-2346
+-----------------------------------------------------------------------------+
Checking interim fixes on the system ...
+-----------------------------------------------------------------------------+
ID  STATE LABEL      INSTALL TIME      UPDATED BY ABSTRACT
====== ================ ================= ========== ======================================
1    S    38408m9c   12/12/23 12:41:59            Ifix for openssh vulnerabilities


Searching for AIX security fixes ...
+-----------------------------------------------------------------------------+
ERROR: SSL connection failed, logs saved in /tmp/ifix/ssl_connection_flrt.log
svrseng3-0:/root#
svrseng3-0:/root#cat /tmp/ifix/ssl_connection_flrt.log
00000001:error:8000004E:system library:BIO_connect:Connection timed out:crypto/bio/bio_sock2.c:114:calling connect()
00000001:error:10000067:BIO routines:BIO_connect:connect error:crypto/bio/bio_sock2.c:116:
connect:errno=78

Proxy is set and IBM toolbox is reachable via this proxy. Do I need any special ports opened in our firewall for this tool?

Many thanks in advance.

Kind regards,
Joerg

Chris Gibson
Wed March 06, 2024 06:40 PM

Thanks for your interesting question Russell. 

The emgr_check_ifixes -D command uses the public key (used for the bulletin) to verify each fix as it is downloaded.

i.e.

# validate signature of the advisory

$openssl dgst -sha256 -verify $CERT_FILE -signature  $IFIX_FOLDER/adv_file.sig $IFIX_FOLDER/adv_file > /dev/null 2>&1

e.g.

pkg_adv_sig=/aix/efixes/security/curl_advisory.asc.sig
+ echo GET /aix/efixes/security/curl_advisory.asc.sig HTTP/1.1\r\nHost: aix.software.ibm.com\r\nConnection: close\r\n\r\n
+ /usr/bin/openssl s_client -tls1_2 -quiet -connect aix.software.ibm.com:443 -CApath /var/ssl_aix/certs
+ 1> /dev/null 2>& 1 + [[ 0 -ne 0 ]]
+ stripHTTPHeader /tmp/ifix_16318948/adv_file.sig
+ 1> /dev/null
+ [[ 0 -ne 0 ]]
+ /usr/bin/openssl dgst -sha256 -verify /etc/security/certificates/AIX_PSIRT_pubkey.txt -signature /tmp/ifix_16318948/adv_file.sig /tmp/ifix_16318948/adv_file
+ 1> /dev/null 2>& 1
+ [[ 0 -ne 0 ]]
+ cat /tmp/ifix_16318948/adv_file
+ grep key_w_fs
+ 1> /dev/null
+ [[ 0 -ne 0 ]]
+ cat /tmp/ifix_16318948/adv_file
+ grep key_w_fs
+ read LINE

I don't see the same for the emgr_download_ifix command.

I'll raise this with the appropriate team for comment/action.

Russell Adams
Wed March 06, 2024 11:40 AM

Does this new download command do any kind of signature validation?

There has been a consistent problem with trying to get IBM to move to secure software distribution best practices. IBM is now signing CVE announcements and the efixes they publish.

I worry the tool isn't updated to use those signatures.