February 16, 2017
By default AIX uses NTPv3. This probably works fine for an internal-only situation (I hope), but for a server that also talks with the "outside," I recall that NTP shows up fairly frequently in CVE messages.
Taking a look at what I can find at http://aix.software.ibm.com/aix/efixes/security/,
I see several advisories on NTP.
The 7th security advisory on NTP for AIX (from September 13, 2016) lists the following CVEs:
Security Bulletin: Vulnerabilities in NTP affect AIX
CVE-2015-7974 CVE-2016-1550 CVE-2016-1551 CVE-2016-2517 CVE-2016-2518
CVE-2016-2519 CVE-2016-1547 CVE-2016-4957 CVE-2016-4953 CVE-2016-4954
There is another advisory (from June 29, 2016) on NTPv4 only that references two CVEs:
CVE-2014-9297 and CVE-2015-1799
Upon digging deeper, I learned AIX is using NTPv3, but both versions can be installed. You can verify which version you are using by just looking at where /usr/sbin/xntpd points.
lrwxrwxrwx 1 root system 20 Dec 27 11:20 /usr/sbin/xntpd -> /usr/sbin/ntp3/xntpd
I would have preferred that the program names in /usr/sbin/ntp3 and /usr/sbin/ntp4 were the same because then I could have just entered the commands (to test setup):
ln -sf /usr/sbin/ntp4/* /tmp/sbin
I am so glad I was conservative – and did not immediately activate the ntp4 versions. They simply were not installed! I had misread the documentation as the ntp4 versions “are installed” rather than “can be installed.”
Unfortunately, while AIX does provide NTP4–by default–NTP4 is not on the base DVD for AIX 6.1 and AIX 7.1. If you want NTP4, you need an extension DVD. The fileset is named ntp.rte
and NTP3 is part of bos.net.tcp.client
. From an old expansion DVD (from 2012) I have:
# installp -d ./installp/ppc/ntp.rte -L
ntp.rte:ntp.rte:188.8.131.52::I:T:::::N:NTP Network Time Protocol::::0::
FYI: The NTP4 advisories above says this is an affected version.
for exact details)
Still Not Enthralled
So why do I still a sad face?
a) NTP4 is not part of the AIX 6.1 default
install base DVDs
b) NTP4 was not part of the AIX 7.1 media (the fileset name might have changed to align with AIX 7.2)
c) NTP4 might be a part of AIX 7.2, but I do not own a POWER7 so I cannot verify myself.
d) I cannot find updates to ntp.rte, which is among the filesets updated via SUMA. (I couldn’t find it listed at FixCentral.)
Not the content I was expecting for this blog, but it’s honest.
Bits to Remember
NTP3 is/was part of the bos.net.tcp.client fileset. Starting with AIX 7.2 they divided the tcp.server and tcp.client filesets into many smaller filesets, so you could specify what tcp components you installed, rather than all or nothing. AIX 7.1 may be (partially) following this convention.
IMHO: Having the tcp applications split into several filesets is much easier to maintain that the TbD (a.k.a. TrustedbyDefault) install option introduced in AIX 6.1.
Posted February 16, 2017 | Permalink