AIX

 View Only
  • 1.  Yet another embarrassing AIX security debacle

    Posted Fri March 29, 2024 09:39 AM

    I documented in a prior post the poor security practices applied to efixes and security bulletins. Kudos to IBM for stepping up and addressing how they sign and distribute the efixes and bulletins very quickly.

    Now I've encountered another major frustration in another AIX security update. Recently an advisory was released indicating that AIX has OpenSSH vulnerabilities.

    Security Bulletin: AIX is vulnerable to a machine-in-the-middle attack (CVE-2023-48795), arbitrary command execution (CVE-2023-51385), and information disclosure (CVE-2023-51384) due to OpenSSH

    Ibm remove preview
    Security Bulletin: AIX is vulnerable to a machine-in-the-middle attack (CVE-2023-48795), arbitrary command execution (CVE-2023-51385), and information disclosure (CVE-2023-51384) due to OpenSSH
    Vulnerabilities in AIX's OpenSSH could allow a remote attacker to launch a machine-in-the-middle attack (CVE-2023-48795) and execute arbitrary commands (CVE-2023-51385), and could allow a local authenticated attacker to obtain sensitive information (CVE-2023-51384). OpenSSH is used by AIX for remote login.
    View this on Ibm >

    The security team did a good job of signing the efixes and the bulletin. However there are several major security problems here.

    • "A. OpenSSH 8.1.102.xxxx is out-of-support. Users are advised to upgrade to OpenSSH 8.1.112.xxxx or 9.2.112.xxxx."

    Out of support from who? If I'm up to date with IBM's TL and SP, I should be running a supported version. According to IBM in the ticket I've opened, OpenSSH has stopped supporting those versions upstream. AIX development hasn't shipped a newer version. Both OpenSSH and OpenSSL are backleveled in the current SP due to an unfortunate release cycle conflict. This is why 7.2 TL5 SP7 jumps to OpenSSL 3.

    Ok, so how do I get a supported version?

    What is this site? This is a marketing site?!

    Since when are AIX critical security updates distributed outside of the TL/SP supply chain, or Fix Central? I'm supposed to download security critical software from a random marketing repository? Why aren't these versions an efix? Efixes are for updates that must occur faster than the standard release process.

    Reviewing what is for download, I see significantly newer versions of OpenSSH and OpenSSL. There are no signatures or checksums provided for the files. These packages are absolutely critical programs related to security, and there is no way I'll install packages I can't authenticate into production.

    So I opened a ticket with IBM support, leading to more fun!

    • Signed LPP packages are validated in a boneheaded manner

    IBM support says that the packages on the MRS site are signed LPP's. This is a relatively new feature in AIX, where you can use chsignpolicy to apply a policy regarding checking of LPP signatures at install time.

    Reading the documentation for installp and chsignpolicy, I'm absolutely stunned.

    1. The policy is off by default.
    2. Only the highest level policy rejects unsigned LPPs OR LPPS WHICH FAILED THEIR VALIDATION.
    3. The signature on an LPP file is only checked AT INSTALL TIME.
    4. There is no option to check the signature on an LPP file without trying to install the package as root with preview disabled.

    IBM support's actual recommendation was to install the untrustworthy freshly downloaded packages I can't authenticate, in order to confirm they are authentic.

    Software supply chain management is a huge topic in cyber security. I can't in good conscience download critical software from a nonstandard source, and without the ability to confirm the authenticity of the packages.

    Please get your act together IBM.

    It should be simple to download the latest fixes and verify the authenticity of the software as provided by IBM from a single trusted source.

    If I have downloaded a signed package, I should be able to verify the signature without attempting to install the software. Ideally running a command as a non-root user. ie: su - nobody -c installp --checksig NEWDOWNLOAD.lpp

    Nothing should ever be posted for download without checksums and a signature from IBM packaging or security. These are now shipped with AIX, making it easier than ever.



    ------------------------------
    ========================
    Russell Adams
    https://adamssystems.nl/
    ========================
    ------------------------------


  • 2.  RE: Yet another embarrassing AIX security debacle

    Posted Fri March 29, 2024 09:43 AM

    @Roy ST. JOHN

    Can you give some feedback on this?



    ------------------------------
    ========================
    Russell Adams
    https://adamssystems.nl/
    ========================
    ------------------------------



  • 3.  RE: Yet another embarrassing AIX security debacle

    Posted Fri March 29, 2024 10:30 AM

    Hi Russell,

    Thank you for the feedback, we will explore further and may want to reach out to you directly for more discussion. On your comment about "out of support", it gets a bit complicated with open-technologies like ssl and ssh that come from open communities. The communities determine the support details, not IBM, and we generally align with them.

    The AIX Web Download Pack site is not a marketing site. It gives us a vehicle to provide software updates, to mostly open source related technology, outside of the standard AIX TL and SP releases. For many of these programs such as ssl and ssh, they do eventually make it into a subsequent SP or TL for releases where we still deliver TLs such as AIX 7.3. As you mention, sometimes we miss the nearest SP or TL due to logistics where we freeze code during the final phases of test.

    Again, thanks for the feedback. It looks like we can improve the consistency for how we sign and manage deliverables across the different delivery mechanisms. We will explore that.

    I like your suggestion of being able to verify the package signature w/o actually trying to install it.

    Carl



    ------------------------------
    Carl Burnett
    DE, IBM Infrastructure, IBM Power
    ------------------------------



  • 4.  RE: Yet another embarrassing AIX security debacle

    Posted Thu April 04, 2024 07:05 AM

    Hi!

    Ok, so how do I get a supported version?

    What is this site? This is a marketing site?!

    Just our of curiosity and in this context: Does it matter, from which website you download your packages from?  From the point of trusting your download location, where do you see a difference between www.ibm.com/support/fixcentral/ and www.ibm.com/resources/mrs/assets/ ?  Both have valid https certificates.

    I see the point that it is annoying to have several points to check for required updates, but just in this point of your argumentation I see no difference.

    Best regards,

      Alexander



    ------------------------------
    Alexander Reichle-Schmehl
    ------------------------------



  • 5.  RE: Yet another embarrassing AIX security debacle

    Posted Thu April 04, 2024 07:35 AM
    On Thu, Apr 04, 2024 at 11:05:06AM +0000, Alexander Reichle-Schmehl via IBM TechXchange Community wrote:
    > What is this site? This is a marketing site?!
    >
    > Just our of curiosity and in this context: Does it matter, from
    > which website you download your packages from? From the point of
    > trusting your download location, where do you see a difference
    > between www.ibm.com/support/fixcentral/ and
    > www.ibm.com/resources/mrs/assets/ ? Both have valid https
    > certificates.

    ESS and Fixcentral are the most common distribution points. Until this
    security update I've never been asked to pull data from MRS.

    Production software is supposed to come from trusted sources, and be
    part of the routine software supply chain. ESS and Fixcentral are the
    authoritative supply chain.

    MRS could be any group throwing up unsupported software. Since when
    does marketing know anything about security or software distribution?

    Here's a question. If I go dig into random subdirs on the old IBM FTP
    site, and download software I find, does that mean it's supported? It
    was a valid IBM domain after all. Of course not.

    > I see the point that it is annoying to have several points to check
    > for required updates, but just in this point of your argumentation I
    > see no difference.

    I really don't care if there are multiple official places to download
    software. The problem is that a marketing site isn't an official
    place, or if it is then it's a poorly communicated new place. If it is
    official it is still lacking the security standards I referenced
    before (ie: checksums and signatures).


    ------------------------------------------------------------------
    Russell Adams Russell.Adams@AdamsSystems.nl
    Principal Consultant Adams Systems Consultancy
    https://adamssystems.nl/