Due to an exploitable bug within openssl, it is imperative that the AIX systems be brought up to date to reduce any risk of exposure or loss of service. Detailed below are the steps to bring openssh and openssl up-to-date.
- Security advisory == http://aix.software.ibm.com/aix/efixes/security/openssl_advisory.asc
Update files
Be sure to download the files from IBM’s AIX Web Download Pack section. ( https://www14.software.ibm.com/webapp/iwm/web/reg/pick.do?source=aixbp&lang=en_US)
- openssl-0.9.8.1800.tar.Z
- openssh_5.8.0.6102.tar.Z
NOTE: There are probably newer versions of openssl/openssh since this procedural document was created.
Once the files have been downloaded and transferred to the target machine do the following:
Installation Steps
- Backup the /etc/ssh server (in particular the host keys)
- Extract the OpenSSL files and apply the openssl (update). NOTE: Can’t put in “applied state”.
- Stop the sshd daemon, as it will interfere with install operation
- Uninstall the old version of openssh
- Install new version of openssh
- Restore the SSH keys to the /etc/ssh directory structure
- Modify the host keys to have proper file permissions
- restart ssh daemon
- restart any other services depending on ssl
- restart the host if other services are running which cannot be restarted on the fly but require a reboot
NOTE: If openssh is in use, it must be updated to openssh 5.8.0.61xx version when updating to openssl 0.9.8.1800. openssl 0.9.8.1800 supports PKCS11. This could be a newer version, so use that for the version numbers.
Detailed Steps
openssh tarball backup
mkdir -p /1/etc/ssh mkdir -p /1/usr/local/etc cp /etc/ssh/* /1/etc/ssh/ cp /usr/local/etc/* /1/usr/local/etc/ cd /1 tar -cvf ssh.backup.tar * gzip ssh.backup.tar
openssl Update
gunzip -c openssl-0.9.8.1800.tar.Z | tar -xvf - cd openssl-0.9.8.1800 installp -aXYd . openssl
openssh Uninstall and New Installation
stopsrc -s sshd geninstall -u openssh gunzip -c OpenSSH_5.8.0.6102.tar.Z | tar -xvf - installp -aXYd . openssh.base openssh.man.en_US openssh.msg.EN_US cd /1 gunzip -c ssh.backup.tar.gz | tar -xvf - cp /1/etc/ssh/* /etc/ssh
SSH reload
Once the installp for OpenSSH has completed the ssh daemon should be restarted using the new sshd_config which has unacceptable openings. After copying the original /etc/ssh/* files you will need to run stopsrc -s sshd ; startsrc -s sshd to ensure that these original config files are in use.
Bugs fixed via openssl 0.9.8.1800
- CVE 2011-0014 – Description: Incorrectly formatted ClientHello handshake messages could cause OpenSSL to parse past the end of the message.
- CVE 2010-3864 – Description: A flaw has been found in the OpenSSL TLS server extension code parsing which on affected servers can be exploited in a buffer overrun attack.
- CVE 2010-4180 – Description: A flaw has been found in the OpenSSL SSL/TLS server code where an old bug workaround allows malicous clients to modify the stored session cache ciphersuite. In some cases the ciphersuite can be downgraded to a weaker one on subsequent connections.
- CVE 2010-0433 – Description: A flaw in OpenSSLthat can cause TLS/SSL server using OpenSSL to crash when clients proposes certain cipher suites in its client hello. This crash is caused by a missing kerberos krb5_sname_to_principal() function return value check in OpenSSL’s kssl_keytab_is_available() (ssl/kssl.c). This function can return an error under certain circumstances (the issue was reproduced with dovecot and stunnel configured to chroot their process to an empty directory, causing getaddrinfo() call to fail). If kssl_keytab_is_available() fails, it may leave princ (kerberos service principal) unmodified, causing krb5_kt_get_entry() to be called with NULL principal. With certain krb5 versions, this leads to a NULL pointer.