AIX

I documented in a prior post the poor security practices applied to efixes and security bulletins. Kudos to IBM for stepping up and addressing how they sign and distribute the efixes and bulletins very quickly.

Now I've encountered another major frustration in another AIX security update. Recently an advisory was released indicating that AIX has OpenSSH vulnerabilities.

Security Bulletin: AIX is vulnerable to a machine-in-the-middle attack (CVE-2023-48795), arbitrary command execution (CVE-2023-51385), and information disclosure (CVE-2023-51384) due to OpenSSH

The security team did a good job of signing the efixes and the bulletin. However there are several major security problems here.

• "A. OpenSSH 8.1.102.xxxx is out-of-support. Users are advised to upgrade to OpenSSH 8.1.112.xxxx or 9.2.112.xxxx."

Out of support from who? If I'm up to date with IBM's TL and SP, I should be running a supported version. According to IBM in the ticket I've opened, OpenSSH has stopped supporting those versions upstream. AIX development hasn't shipped a newer version. Both OpenSSH and OpenSSL are backleveled in the current SP due to an unfortunate release cycle conflict. This is why 7.2 TL5 SP7 jumps to OpenSSL 3.

Ok, so how do I get a supported version?

• "B. Latest level of OpenSSH fileset is available from the Web Download site: https://www.ibm.com/resources/mrs/assets"

What is this site? This is a marketing site?!

Since when are AIX critical security updates distributed outside of the TL/SP supply chain, or Fix Central? I'm supposed to download security critical software from a random marketing repository? Why aren't these versions an efix? Efixes are for updates that must occur faster than the standard release process.

Reviewing what is for download, I see significantly newer versions of OpenSSH and OpenSSL. There are no signatures or checksums provided for the files. These packages are absolutely critical programs related to security, and there is no way I'll install packages I can't authenticate into production.

So I opened a ticket with IBM support, leading to more fun!

• Signed LPP packages are validated in a boneheaded manner

IBM support says that the packages on the MRS site are signed LPP's. This is a relatively new feature in AIX, where you can use chsignpolicy to apply a policy regarding checking of LPP signatures at install time.

Reading the documentation for installp and chsignpolicy, I'm absolutely stunned.

1. The policy is off by default.
2. Only the highest level policy rejects unsigned LPPs OR LPPS WHICH FAILED THEIR VALIDATION.
3. The signature on an LPP file is only checked AT INSTALL TIME.
4. There is no option to check the signature on an LPP file without trying to install the package as root with preview disabled.

IBM support's actual recommendation was to install the untrustworthy freshly downloaded packages I can't authenticate, in order to confirm they are authentic.

Software supply chain management is a huge topic in cyber security. I can't in good conscience download critical software from a nonstandard source, and without the ability to confirm the authenticity of the packages.

Please get your act together IBM.

It should be simple to download the latest fixes and verify the authenticity of the software as provided by IBM from a single trusted source.

If I have downloaded a signed package, I should be able to verify the signature without attempting to install the software. Ideally running a command as a non-root user. ie: su - nobody -c installp --checksig NEWDOWNLOAD.lpp

Nothing should ever be posted for download without checksums and a signature from IBM packaging or security. These are now shipped with AIX, making it easier than ever.

I documented in a prior post the poor security practices applied to efixes and security bulletins. Kudos to IBM for stepping up and addressing how they sign and distribute the efixes and bulletins very quickly.

Now I've encountered another major frustration in another AIX security update. Recently an advisory was released indicating that AIX has OpenSSH vulnerabilities.

Security Bulletin: AIX is vulnerable to a machine-in-the-middle attack (CVE-2023-48795), arbitrary command execution (CVE-2023-51385), and information disclosure (CVE-2023-51384) due to OpenSSH

The security team did a good job of signing the efixes and the bulletin. However there are several major security problems here.

• "A. OpenSSH 8.1.102.xxxx is out-of-support. Users are advised to upgrade to OpenSSH 8.1.112.xxxx or 9.2.112.xxxx."

Out of support from who? If I'm up to date with IBM's TL and SP, I should be running a supported version. According to IBM in the ticket I've opened, OpenSSH has stopped supporting those versions upstream. AIX development hasn't shipped a newer version. Both OpenSSH and OpenSSL are backleveled in the current SP due to an unfortunate release cycle conflict. This is why 7.2 TL5 SP7 jumps to OpenSSL 3.

Ok, so how do I get a supported version?

• "B. Latest level of OpenSSH fileset is available from the Web Download site: https://www.ibm.com/resources/mrs/assets"

What is this site? This is a marketing site?!

Since when are AIX critical security updates distributed outside of the TL/SP supply chain, or Fix Central? I'm supposed to download security critical software from a random marketing repository? Why aren't these versions an efix? Efixes are for updates that must occur faster than the standard release process.

Reviewing what is for download, I see significantly newer versions of OpenSSH and OpenSSL. There are no signatures or checksums provided for the files. These packages are absolutely critical programs related to security, and there is no way I'll install packages I can't authenticate into production.

So I opened a ticket with IBM support, leading to more fun!

• Signed LPP packages are validated in a boneheaded manner

IBM support says that the packages on the MRS site are signed LPP's. This is a relatively new feature in AIX, where you can use chsignpolicy to apply a policy regarding checking of LPP signatures at install time.

Reading the documentation for installp and chsignpolicy, I'm absolutely stunned.

1. The policy is off by default.
2. Only the highest level policy rejects unsigned LPPs OR LPPS WHICH FAILED THEIR VALIDATION.
3. The signature on an LPP file is only checked AT INSTALL TIME.
4. There is no option to check the signature on an LPP file without trying to install the package as root with preview disabled.

IBM support's actual recommendation was to install the untrustworthy freshly downloaded packages I can't authenticate, in order to confirm they are authentic.

Software supply chain management is a huge topic in cyber security. I can't in good conscience download critical software from a nonstandard source, and without the ability to confirm the authenticity of the packages.

Please get your act together IBM.

It should be simple to download the latest fixes and verify the authenticity of the software as provided by IBM from a single trusted source.

If I have downloaded a signed package, I should be able to verify the signature without attempting to install the software. Ideally running a command as a non-root user. ie: su - nobody -c installp --checksig NEWDOWNLOAD.lpp

Nothing should ever be posted for download without checksums and a signature from IBM packaging or security. These are now shipped with AIX, making it easier than ever.

I documented in a prior post the poor security practices applied to efixes and security bulletins. Kudos to IBM for stepping up and addressing how they sign and distribute the efixes and bulletins very quickly.

Now I've encountered another major frustration in another AIX security update. Recently an advisory was released indicating that AIX has OpenSSH vulnerabilities.

Security Bulletin: AIX is vulnerable to a machine-in-the-middle attack (CVE-2023-48795), arbitrary command execution (CVE-2023-51385), and information disclosure (CVE-2023-51384) due to OpenSSH

The security team did a good job of signing the efixes and the bulletin. However there are several major security problems here.

• "A. OpenSSH 8.1.102.xxxx is out-of-support. Users are advised to upgrade to OpenSSH 8.1.112.xxxx or 9.2.112.xxxx."

Out of support from who? If I'm up to date with IBM's TL and SP, I should be running a supported version. According to IBM in the ticket I've opened, OpenSSH has stopped supporting those versions upstream. AIX development hasn't shipped a newer version. Both OpenSSH and OpenSSL are backleveled in the current SP due to an unfortunate release cycle conflict. This is why 7.2 TL5 SP7 jumps to OpenSSL 3.

Ok, so how do I get a supported version?

• "B. Latest level of OpenSSH fileset is available from the Web Download site: https://www.ibm.com/resources/mrs/assets"

What is this site? This is a marketing site?!

Since when are AIX critical security updates distributed outside of the TL/SP supply chain, or Fix Central? I'm supposed to download security critical software from a random marketing repository? Why aren't these versions an efix? Efixes are for updates that must occur faster than the standard release process.

Reviewing what is for download, I see significantly newer versions of OpenSSH and OpenSSL. There are no signatures or checksums provided for the files. These packages are absolutely critical programs related to security, and there is no way I'll install packages I can't authenticate into production.

So I opened a ticket with IBM support, leading to more fun!

• Signed LPP packages are validated in a boneheaded manner

IBM support says that the packages on the MRS site are signed LPP's. This is a relatively new feature in AIX, where you can use chsignpolicy to apply a policy regarding checking of LPP signatures at install time.

Reading the documentation for installp and chsignpolicy, I'm absolutely stunned.

1. The policy is off by default.
2. Only the highest level policy rejects unsigned LPPs OR LPPS WHICH FAILED THEIR VALIDATION.
3. The signature on an LPP file is only checked AT INSTALL TIME.
4. There is no option to check the signature on an LPP file without trying to install the package as root with preview disabled.

IBM support's actual recommendation was to install the untrustworthy freshly downloaded packages I can't authenticate, in order to confirm they are authentic.

Software supply chain management is a huge topic in cyber security. I can't in good conscience download critical software from a nonstandard source, and without the ability to confirm the authenticity of the packages.

Please get your act together IBM.

It should be simple to download the latest fixes and verify the authenticity of the software as provided by IBM from a single trusted source.

If I have downloaded a signed package, I should be able to verify the signature without attempting to install the software. Ideally running a command as a non-root user. ie: su - nobody -c installp --checksig NEWDOWNLOAD.lpp

Nothing should ever be posted for download without checksums and a signature from IBM packaging or security. These are now shipped with AIX, making it easier than ever.

Hi!

Just our of curiosity and in this context: Does it matter, from which website you download your packages from?  From the point of trusting your download location, where do you see a difference between www.ibm.com/support/fixcentral/ and www.ibm.com/resources/mrs/assets/ ?  Both have valid https certificates.

I see the point that it is annoying to have several points to check for required updates, but just in this point of your argumentation I see no difference.

Best regards,

  Alexander

I documented in a prior post the poor security practices applied to efixes and security bulletins. Kudos to IBM for stepping up and addressing how they sign and distribute the efixes and bulletins very quickly.

Now I've encountered another major frustration in another AIX security update. Recently an advisory was released indicating that AIX has OpenSSH vulnerabilities.

Security Bulletin: AIX is vulnerable to a machine-in-the-middle attack (CVE-2023-48795), arbitrary command execution (CVE-2023-51385), and information disclosure (CVE-2023-51384) due to OpenSSH

The security team did a good job of signing the efixes and the bulletin. However there are several major security problems here.

• "A. OpenSSH 8.1.102.xxxx is out-of-support. Users are advised to upgrade to OpenSSH 8.1.112.xxxx or 9.2.112.xxxx."

Out of support from who? If I'm up to date with IBM's TL and SP, I should be running a supported version. According to IBM in the ticket I've opened, OpenSSH has stopped supporting those versions upstream. AIX development hasn't shipped a newer version. Both OpenSSH and OpenSSL are backleveled in the current SP due to an unfortunate release cycle conflict. This is why 7.2 TL5 SP7 jumps to OpenSSL 3.

Ok, so how do I get a supported version?

• "B. Latest level of OpenSSH fileset is available from the Web Download site: https://www.ibm.com/resources/mrs/assets"

What is this site? This is a marketing site?!

Since when are AIX critical security updates distributed outside of the TL/SP supply chain, or Fix Central? I'm supposed to download security critical software from a random marketing repository? Why aren't these versions an efix? Efixes are for updates that must occur faster than the standard release process.

Reviewing what is for download, I see significantly newer versions of OpenSSH and OpenSSL. There are no signatures or checksums provided for the files. These packages are absolutely critical programs related to security, and there is no way I'll install packages I can't authenticate into production.

So I opened a ticket with IBM support, leading to more fun!

• Signed LPP packages are validated in a boneheaded manner

IBM support says that the packages on the MRS site are signed LPP's. This is a relatively new feature in AIX, where you can use chsignpolicy to apply a policy regarding checking of LPP signatures at install time.

Reading the documentation for installp and chsignpolicy, I'm absolutely stunned.

1. The policy is off by default.
2. Only the highest level policy rejects unsigned LPPs OR LPPS WHICH FAILED THEIR VALIDATION.
3. The signature on an LPP file is only checked AT INSTALL TIME.
4. There is no option to check the signature on an LPP file without trying to install the package as root with preview disabled.

IBM support's actual recommendation was to install the untrustworthy freshly downloaded packages I can't authenticate, in order to confirm they are authentic.

Software supply chain management is a huge topic in cyber security. I can't in good conscience download critical software from a nonstandard source, and without the ability to confirm the authenticity of the packages.

Please get your act together IBM.

It should be simple to download the latest fixes and verify the authenticity of the software as provided by IBM from a single trusted source.

If I have downloaded a signed package, I should be able to verify the signature without attempting to install the software. Ideally running a command as a non-root user. ie: su - nobody -c installp --checksig NEWDOWNLOAD.lpp

Nothing should ever be posted for download without checksums and a signature from IBM packaging or security. These are now shipped with AIX, making it easier than ever.