1. Introduction
The AIX bind Advisory : nettcp_advisory2.asc (IV86116) (IV86117) vulnerability affects versions of the bind service on AIX systems. This issue allows a remote attacker to potentially obtain sensitive information or impersonate a TLS server using man-in-the-middle techniques due to weaknesses in the TLS protocol implementation. Systems running vulnerable versions of bind are at risk, particularly those handling encrypted network traffic. Impact is likely to be high on confidentiality and integrity.
2. Technical Explanation
The vulnerability stems from two issues within the bind service: a collision attack possibility when using MD5 for TLS ServerKeyExchange signing (CVE-2015-7575), and IBM AIX not enforcing the newest version of TLS by default (CVE-2016-0266). An attacker exploiting this could intercept communications, potentially stealing credentials or performing actions as a legitimate user. A successful attack requires a man-in-the-middle position on the network.
- Root cause: Weak MD5 hash function used for TLS signing and outdated default TLS versions in AIX.
- Exploit mechanism: An attacker intercepts TLS handshakes, exploits the collision vulnerability to forge signatures, and impersonates the server.
- Scope: Affected platforms are IBM AIX systems running vulnerable versions of bind.
3. Detection and Assessment
To confirm if a system is vulnerable, check the installed version of bind. A thorough assessment involves reviewing TLS configuration settings.
- Quick checks: Use the following command to display the bind version:
bind -v - Scanning: Nessus vulnerability ID 79684 and Rapid7 vulnerability ID 92150 can detect this issue. These are examples only, results may vary.
- Logs and evidence: Check system logs for TLS handshake errors or suspicious activity related to bind. Specific log files depend on the AIX configuration.
bind -v4. Solution / Remediation Steps
Apply a fix available from IBM AIX website to address this vulnerability.
4.1 Preparation
- No services need to be stopped for this update.
- Roll back plan: If issues occur, restore from backup.
4.2 Implementation
- Step 1: Download the appropriate fix package from https://aix.software.ibm.com/aix/efixes/security/nettcp_advisory2.asc
- Step 2: Install the fix package using the
installpcommand. For example:installp -a - Step 3: Reboot the system if prompted by the installation process.
4.3 Config or Code Example
Before
After
4.4 Security Practices Relevant to This Vulnerability
Practices like a regular patch cadence and secure configuration management are relevant.
- Practice 1: Implement a regular patch cycle to apply security updates promptly, reducing the window of exposure.
- Practice 2: Secure configuration management ensures consistent settings across systems, minimizing vulnerabilities.
4.5 Automation (Optional)
Automation is not directly applicable for this specific fix.
5. Verification / Validation
- Post-fix check: Run
bind -vto confirm the updated version is installed. - Re-test: Re-run the initial vulnerability scan (Nessus ID 79684, Rapid7 ID 92150) to verify the issue is resolved.
- Monitoring: Monitor system logs for TLS-related errors or unexpected behavior.
bind -v6. Preventive Measures and Monitoring
Update security baselines and implement configuration management practices.
- Baselines: Update your AIX security baseline to include the latest patch levels for bind.
- Asset and patch process: Maintain a regular patch review cycle, prioritizing critical vulnerabilities like this one.
7. Risks, Side Effects, and Roll Back
Applying the patch may cause temporary service interruptions during installation or reboot. A roll back is possible by restoring from backup.
- Risk or side effect 1: Potential for brief DNS resolution interruption during patching.
- Roll back: Restore the system from a pre-patch backup if issues occur.
8. References and Resources
Refer to official IBM documentation for this vulnerability.
- Vendor advisory or bulletin: https://aix.software.ibm.com/aix/efixes/security/nettcp_advisory2.asc
- NVD or CVE entry: CVE-2015-7575, CVE-2016-0266