1. Introduction
The AIX OpenSSL Advisory : openssl_advisory28.asc details a denial of service vulnerability affecting versions of OpenSSL installed on AIX systems. This vulnerability could allow an attacker to crash the affected system, leading to service disruption. Systems running vulnerable versions of OpenSSL are at risk. Impact is likely to be high availability, with potential for confidentiality and integrity compromise if exploited as part of a wider attack.
2. Technical Explanation
The vulnerability in OpenSSL allows an attacker to trigger a denial-of-service condition by sending specially crafted input that causes the software to crash. Exploitation requires local access to the AIX host. The CVE identifier for this issue is CVE-2018-0732.
- Root cause: A flaw in OpenSSL’s handling of certain TLS/SSL records leads to a crash when processing malicious input.
- Exploit mechanism: An attacker with local access can craft a specific network request that triggers the vulnerability, causing the OpenSSL process to terminate unexpectedly.
- Scope: AIX systems running vulnerable versions of OpenSSL are affected.
3. Detection and Assessment
You can confirm if your system is vulnerable by checking the installed OpenSSL version. A thorough method involves reviewing system logs for crash events related to OpenSSL.
- Quick checks: Use the following command to display the OpenSSL version:
openssl version - Scanning: Nessus plugin ID 112849 can detect this vulnerability, but results should be verified.
- Logs and evidence: Check system logs (e.g., /var/log/messages) for crash events or errors related to OpenSSL processes.
openssl version4. Solution / Remediation Steps
Apply the fix available from IBM AIX website to address this vulnerability. Follow these steps carefully.
4.1 Preparation
- No services need to be stopped for this update, but plan for potential downtime during installation and testing. A roll back plan is to restore from backup.
4.2 Implementation
- Step 1: Download the appropriate fix package for your AIX version from https://aix.software.ibm.com/aix/efixes/security/openssl_advisory28.asc.
- Step 2: Install the fix package using the
smitty applyfixcommand or the graphical interface.
4.3 Config or Code Example
No configuration changes are required as this is a patch update.
Before
After
4.4 Security Practices Relevant to This Vulnerability
Regular patch management is crucial for addressing vulnerabilities like this one. Keeping systems up-to-date reduces the attack surface and minimizes risk.
- Practice 1: Implement a robust patch cadence to ensure timely application of security updates.
4.5 Automation (Optional)
Automation is not recommended for this specific fix due to the need for system reboot and potential compatibility issues. Manual verification is advised.
5. Verification / Validation
- Post-fix check: Run
openssl versionand confirm it displays a patched version of OpenSSL. - Re-test: Re-run the initial vulnerability scan to verify that the issue is no longer detected.
- Smoke test: Verify key services such as SSH, HTTPS, and any other applications relying on OpenSSL are functioning correctly.
openssl version6. Preventive Measures and Monitoring
Update your security baseline to include the patched OpenSSL version. Consider adding checks in your CI/CD pipeline to prevent deployment of vulnerable versions.
- Baselines: Update your system security baseline or policy to require the latest patched version of OpenSSL.
7. Risks, Side Effects, and Roll Back
Applying patches can sometimes introduce compatibility issues. Always test in a non-production environment first. If issues arise, restore from backup.
- Risk or side effect 1: Potential for service disruption during reboot. Mitigate by scheduling downtime appropriately.
8. References and Resources
Refer to official IBM documentation for detailed information about this vulnerability and the available fix.
- Vendor advisory or bulletin: https://aix.software.ibm.com/aix/efixes/security/openssl_advisory28.asc
- NVD or CVE entry: CVE-2018-0732