1. Introduction
The vulnerability “AIX OpenSSL Advisory : openssl_advisory6.asc” affects versions of OpenSSL running on AIX systems. A flaw in OpenSSL can cause applications to crash under certain conditions, potentially leading to a denial-of-service condition. This impacts the availability of services relying on OpenSSL for secure communication.
2. Technical Explanation
The remote AIX host is running vulnerable versions of OpenSSL (1.0.1). Specifically, three vulnerabilities exist: CVE-2013-4353 allows a malicious server to crash connecting clients with an invalid TLS handshake; CVE-2013-6450 causes crashes due to improper data structure maintenance during DTLS retransmissions; and CVE-2013-6449 leads to denial of service when using TLS version 1.2. An attacker could exploit these flaws by sending specially crafted traffic or initiating a connection with an affected server.
- Root cause: Flaws in the handling of TLS handshakes, DTLS retransmissions and SSL algorithm processing within OpenSSL.
- Exploit mechanism: A malicious client or server can trigger crashes by sending invalid or specially crafted packets during connection establishment or data transfer. For example, a client could initiate a TLS 1.2 handshake with malformed data to exploit CVE-2013-6449.
- Scope: AIX systems running OpenSSL version 1.0.1 are affected.
3. Detection and Assessment
Confirming vulnerability requires checking the installed OpenSSL version. A quick check can identify if a vulnerable version is present, while more thorough methods involve examining specific configurations or logs.
- Quick checks: Use the following command to display the OpenSSL version:
openssl version - Scanning: Nessus plugin ID 64530 can detect this vulnerability. Other scanners may have similar capabilities, but results should be verified.
- Logs and evidence: Examine system logs for crash reports related to OpenSSL processes. Specific error messages or stack traces associated with the CVEs may indicate exploitation attempts.
openssl version4. Solution / Remediation Steps
4.1 Preparation
- A mksysb backup of the system is highly recommended, ensuring it’s both bootable and readable. Stop any services that rely on OpenSSL if possible.
- Ensure you have access to the AIX website to download the fix package. A roll back plan involves restoring from the mksysb backup if issues occur.
- A change window may be required depending on your organisation’s policies and service impact assessment. Approval from relevant stakeholders might be needed.
4.2 Implementation
- Step 1: Download the fix package from the AIX website.
- Step 2: Extract the fixes using the following command:
zcat openssl-1.0.1.501.tar.Z | tar xvf - - Step 3: Preview the installation with:
installp -apYd . openssl - Step 4: Install the fix package using:
installp -aXYd . opensssl
4.3 Config or Code Example
No configuration changes are required; this is a patch installation.
Before
openssl version (showing vulnerable 1.0.1 version)After
openssl version (showing patched version, e.g., 1.0.1.501 or later)4.4 Security Practices Relevant to This Vulnerability
Patch management is the most relevant practice for this vulnerability. Regularly applying security updates reduces exposure to known flaws like those in OpenSSL. Least privilege can limit the impact if a service is compromised despite patching.
- Practice 1: Implement a regular patch cadence for all software, including OpenSSL.
- Practice 2: Apply least privilege principles to services using OpenSSL, restricting their access and capabilities.
4.5 Automation (Optional)
5. Verification / Validation
Confirm the fix by checking the OpenSSL version again and verifying that key services are functioning correctly.
- Post-fix check: Run
openssl versionand confirm it displays a patched version (e.g., 1.0.1.501 or later). - Re-test: Re-run the initial vulnerability check (
openssl version) to ensure the vulnerable version is no longer present. - Smoke test: Verify that SSL/TLS connections to key services are still functioning as expected.
openssl version (showing patched version)6. Preventive Measures and Monitoring
- Baselines: Update security baselines or policies to require patched OpenSSL versions.
- Pipelines: Add checks in CI or deployment pipelines to scan for vulnerable OpenSSL packages.
- Asset and patch process: Establish a sensible patch or config review cycle (e.g., monthly) that fits the risk profile of your systems.
7. Risks, Side Effects, and Roll Back
- Roll back: Restore the system from the mksysb backup created prior to applying the patch.
8. References and Resources
- Vendor advisory or bulletin: https://aix.software.ibm.com/aix/efixes/security/openssl_advisory6.asc
- NVD or CVE entry: CVE-2013-4353, CVE-2013-6449, CVE-2013-6450
- Product or platform documentation relevant to the fix: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp