On Thu, Apr 04, 2024 at 11:05:06AM +0000, Alexander Reichle-Schmehl via IBM TechXchange Community wrote:
> What is this site? This is a marketing site?!
>
> Just our of curiosity and in this context: Does it matter, from
> which website you download your packages from? From the point of
> trusting your download location, where do you see a difference
> between
www.ibm.com/support/fixcentral/ and
>
www.ibm.com/resources/mrs/assets/ ? Both have valid https
> certificates.
ESS and Fixcentral are the most common distribution points. Until this
security update I've never been asked to pull data from MRS.
Production software is supposed to come from trusted sources, and be
part of the routine software supply chain. ESS and Fixcentral are the
authoritative supply chain.
MRS could be any group throwing up unsupported software. Since when
does marketing know anything about security or software distribution?
Here's a question. If I go dig into random subdirs on the old IBM FTP
site, and download software I find, does that mean it's supported? It
was a valid IBM domain after all. Of course not.
> I see the point that it is annoying to have several points to check
> for required updates, but just in this point of your argumentation I
> see no difference.
I really don't care if there are multiple official places to download
software. The problem is that a marketing site isn't an official
place, or if it is then it's a poorly communicated new place. If it is
official it is still lacking the security standards I referenced
before (ie: checksums and signatures).
------------------------------------------------------------------
Russell Adams
Russell.Adams@AdamsSystems.nlPrincipal Consultant Adams Systems Consultancy
https://adamssystems.nl/
Original Message:
Sent: 4/4/2024 7:05:00 AM
From: Alexander Reichle-Schmehl
Subject: RE: Yet another embarrassing AIX security debacle
Hi!
Ok, so how do I get a supported version?
What is this site? This is a marketing site?!
Just our of curiosity and in this context: Does it matter, from which website you download your packages from? From the point of trusting your download location, where do you see a difference between www.ibm.com/support/fixcentral/ and www.ibm.com/resources/mrs/assets/ ? Both have valid https certificates.
I see the point that it is annoying to have several points to check for required updates, but just in this point of your argumentation I see no difference.
Best regards,
Alexander
------------------------------
Alexander Reichle-Schmehl
------------------------------
Original Message:
Sent: Fri March 29, 2024 09:38 AM
From: Russell Adams
Subject: Yet another embarrassing AIX security debacle
I documented in a prior post the poor security practices applied to efixes and security bulletins. Kudos to IBM for stepping up and addressing how they sign and distribute the efixes and bulletins very quickly.
Now I've encountered another major frustration in another AIX security update. Recently an advisory was released indicating that AIX has OpenSSH vulnerabilities.
Security Bulletin: AIX is vulnerable to a machine-in-the-middle attack (CVE-2023-48795), arbitrary command execution (CVE-2023-51385), and information disclosure (CVE-2023-51384) due to OpenSSH
Ibm | remove preview |
| Security Bulletin: AIX is vulnerable to a machine-in-the-middle attack (CVE-2023-48795), arbitrary command execution (CVE-2023-51385), and information disclosure (CVE-2023-51384) due to OpenSSH | Vulnerabilities in AIX's OpenSSH could allow a remote attacker to launch a machine-in-the-middle attack (CVE-2023-48795) and execute arbitrary commands (CVE-2023-51385), and could allow a local authenticated attacker to obtain sensitive information (CVE-2023-51384). OpenSSH is used by AIX for remote login. | View this on Ibm > |
|
|
The security team did a good job of signing the efixes and the bulletin. However there are several major security problems here.
- "A. OpenSSH 8.1.102.xxxx is out-of-support. Users are advised to upgrade to OpenSSH 8.1.112.xxxx or 9.2.112.xxxx."
Out of support from who? If I'm up to date with IBM's TL and SP, I should be running a supported version. According to IBM in the ticket I've opened, OpenSSH has stopped supporting those versions upstream. AIX development hasn't shipped a newer version. Both OpenSSH and OpenSSL are backleveled in the current SP due to an unfortunate release cycle conflict. This is why 7.2 TL5 SP7 jumps to OpenSSL 3.
Ok, so how do I get a supported version?
What is this site? This is a marketing site?!
Since when are AIX critical security updates distributed outside of the TL/SP supply chain, or Fix Central? I'm supposed to download security critical software from a random marketing repository? Why aren't these versions an efix? Efixes are for updates that must occur faster than the standard release process.
Reviewing what is for download, I see significantly newer versions of OpenSSH and OpenSSL. There are no signatures or checksums provided for the files. These packages are absolutely critical programs related to security, and there is no way I'll install packages I can't authenticate into production.
So I opened a ticket with IBM support, leading to more fun!
- Signed LPP packages are validated in a boneheaded manner
IBM support says that the packages on the MRS site are signed LPP's. This is a relatively new feature in AIX, where you can use chsignpolicy to apply a policy regarding checking of LPP signatures at install time.
Reading the documentation for installp and chsignpolicy, I'm absolutely stunned.
- The policy is off by default.
- Only the highest level policy rejects unsigned LPPs OR LPPS WHICH FAILED THEIR VALIDATION.
- The signature on an LPP file is only checked AT INSTALL TIME.
- There is no option to check the signature on an LPP file without trying to install the package as root with preview disabled.
IBM support's actual recommendation was to install the untrustworthy freshly downloaded packages I can't authenticate, in order to confirm they are authentic.
Software supply chain management is a huge topic in cyber security. I can't in good conscience download critical software from a nonstandard source, and without the ability to confirm the authenticity of the packages.
Please get your act together IBM.
It should be simple to download the latest fixes and verify the authenticity of the software as provided by IBM from a single trusted source.
If I have downloaded a signed package, I should be able to verify the signature without attempting to install the software. Ideally running a command as a non-root user. ie: su - nobody -c installp --checksig NEWDOWNLOAD.lpp
Nothing should ever be posted for download without checksums and a signature from IBM packaging or security. These are now shipped with AIX, making it easier than ever.
------------------------------
========================
Russell Adams
https://adamssystems.nl/
========================
------------------------------