Due to an exploitable bug within openssl, it is imperative that the AIX systems be brought up to date to reduce any risk of exposure or loss of service. Detailed below are the steps to bring openssh and openssl up-to-date.

• Security advisory == http://aix.software.ibm.com/aix/efixes/security/openssl_advisory.asc

Update files

Be sure to download the files from IBM’s AIX Web Download Pack section. ( https://www14.software.ibm.com/webapp/iwm/web/reg/pick.do?source=aixbp&lang=en_US)

• openssl-0.9.8.1800.tar.Z
• openssh_5.8.0.6102.tar.Z

NOTE:  There are probably newer versions of openssl/openssh since this procedural document was created.
Once the files have been downloaded and transferred to the target machine do the following:

Installation Steps

1. Backup the /etc/ssh server (in particular the host keys)
2. Extract the OpenSSL files and apply the openssl (update). NOTE: Can’t put in “applied state”.
3. Stop the sshd daemon, as it will interfere with install operation
4. Uninstall the old version of openssh
5. Install new version of openssh
6. Restore the SSH keys to the /etc/ssh directory structure
7. Modify the host keys to have proper file permissions
8. restart ssh daemon
9. restart any other services depending on ssl
10. restart the host if other services are running which cannot be restarted on the fly but require a reboot

NOTE: If openssh is in use, it must be updated to openssh 5.8.0.61xx version when updating to openssl 0.9.8.1800. openssl 0.9.8.1800 supports PKCS11.  This could be a newer version, so use that for the version numbers.

Detailed Steps

openssh tarball backup

mkdir -p /1/etc/ssh
mkdir -p /1/usr/local/etc
cp /etc/ssh/* /1/etc/ssh/
cp /usr/local/etc/* /1/usr/local/etc/
cd /1
tar -cvf ssh.backup.tar *
gzip ssh.backup.tar

openssl Update

gunzip -c openssl-0.9.8.1800.tar.Z | tar -xvf -
cd openssl-0.9.8.1800
installp -aXYd . openssl

openssh Uninstall and New Installation

stopsrc -s sshd
geninstall -u openssh
gunzip -c OpenSSH_5.8.0.6102.tar.Z | tar -xvf -
installp -aXYd . openssh.base openssh.man.en_US openssh.msg.EN_US
cd /1
gunzip -c ssh.backup.tar.gz | tar -xvf -
cp /1/etc/ssh/* /etc/ssh

SSH reload

Once the installp for OpenSSH has completed the ssh daemon should be restarted using the new sshd_config which has unacceptable openings. After copying the original /etc/ssh/* files you will need to run stopsrc -s sshd ; startsrc -s sshd to ensure that these original config files are in use.

Bugs fixed via openssl 0.9.8.1800

1. CVE 2011-0014 – Description: Incorrectly formatted ClientHello handshake messages could cause OpenSSL to parse past the end of the message.
2. CVE 2010-3864 – Description: A flaw has been found in the OpenSSL TLS server extension code parsing which on affected servers can be exploited in a buffer overrun attack.
3. CVE 2010-4180 – Description: A flaw has been found in the OpenSSL SSL/TLS server code where an old bug workaround allows malicous clients to modify the stored session cache ciphersuite. In some cases the ciphersuite can be downgraded to a weaker one on subsequent connections.
4. CVE 2010-0433 – Description: A flaw in OpenSSLthat can cause TLS/SSL server using OpenSSL to crash when clients proposes certain cipher suites in its client hello. This crash is caused by a missing kerberos krb5_sname_to_principal() function return value check in OpenSSL’s kssl_keytab_is_available() (ssl/kssl.c). This function can return an error under certain circumstances (the issue was reproduced with dovecot and stunnel configured to chroot their process to an empty directory, causing getaddrinfo() call to fail). If kssl_keytab_is_available() fails, it may leave princ (kerberos service principal) unmodified, causing krb5_kt_get_entry() to be called with NULL principal. With certain krb5 versions, this leads to a NULL pointer.