1. Introduction
The AIX OpenSSL Advisory : openssl_advisory29.asc details a vulnerability in versions of OpenSSL installed on AIX systems. This is a side channel attack information disclosure vulnerability, allowing an attacker to potentially gain sensitive information from the system’s memory. This impacts confidentiality of data processed by affected OpenSSL installations.
2. Technical Explanation
The vulnerability stems from a flaw in how OpenSSL handles certain cryptographic operations, leading to timing variations that can be observed and exploited to reveal information about the keys or data being processed. An attacker needs local access to exploit this vulnerability. This is tracked as CVE-2018-0734 and CVE-2018-5407. As an example, an attacker with local shell access could use timing attacks against a running OpenSSL process to infer parts of the private key used for encryption.
- Root cause: Timing variations during cryptographic operations reveal information about internal data.
- Exploit mechanism: An attacker measures the time taken for different operations and infers sensitive information from these differences.
- Scope: AIX systems with vulnerable versions of OpenSSL installed.
3. Detection and Assessment
To check if your system is affected, verify the OpenSSL version. A thorough assessment involves reviewing logs for suspicious activity related to cryptographic operations.
- Quick checks: Use the following command to display the OpenSSL version:
openssl version - Scanning: Nessus plugin ID 110748 can detect this vulnerability, but results should be verified manually.
- Logs and evidence: Examine system logs for unusual CPU usage or activity related to cryptographic processes.
openssl version4. Solution / Remediation Steps
Apply the fix available from IBM AIX website. Follow these steps carefully to ensure a successful update.
4.1 Preparation
- No services need to be stopped for this fix, but it is advisable to schedule during a maintenance window. A roll back plan involves restoring from backup or snapshot.
- Change control approval may be required depending on your organization’s policies.
4.2 Implementation
- Step 1: Download the appropriate fix package for your AIX version from https://aix.software.ibm.com/aix/efixes/security/openssl_advisory29.asc
- Step 2: Install the fix package using the
smitty applycommand.
4.3 Config or Code Example
No configuration change is required, this vulnerability is fixed by updating the OpenSSL package.
Before
After
4.4 Security Practices Relevant to This Vulnerability
Regular patch management is critical for addressing vulnerabilities like this one. Least privilege can reduce the impact if an attacker gains access.
- Practice 1: Implement a regular patch cadence to ensure timely application of security updates.
- Practice 2: Enforce least privilege principles, limiting user and service accounts’ access rights.
4.5 Automation (Optional)
Automation is not directly applicable for this specific fix as it requires downloading and installing a package via smitty.
5. Verification / Validation
- Post-fix check: Run
openssl versionand confirm the version is updated to a patched release. - Re-test: Re-run the initial
openssl versioncommand to verify the update was successful. - Smoke test: Verify that SSL/TLS connections to key services (e.g., web servers, email servers) are still functioning as expected.
openssl version6. Preventive Measures and Monitoring
Update security baselines to include the patched OpenSSL version. Implement vulnerability scanning in your CI/CD pipelines.
- Baselines: Update your AIX security baseline with the minimum required OpenSSL version.
- Asset and patch process: Maintain a regular patch review cycle, prioritizing critical vulnerabilities like this one.
7. Risks, Side Effects, and Roll Back
Applying the fix may require a system reboot, potentially causing service interruption. If issues arise, restore from backup or snapshot.
- Risk or side effect 1: System reboot required, leading to temporary downtime.
- Risk or side effect 2: Potential compatibility issues with older applications (unlikely but possible).
- Roll back: Restore the system from the pre-update backup or snapshot.
8. References and Resources
Refer to the official IBM AIX security advisory for detailed information about this vulnerability.
- Vendor advisory or bulletin: https://aix.software.ibm.com/aix/efixes/security/openssl_advisory29.asc
- NVD or CVE entry: CVE-2018-0734, CVE-2018-5407
- Product or platform documentation relevant to the fix: IBM AIX documentation on applying security fixes.