Bookmark and Share
RSS

Recent Posts

AIX and NTP

February 16, 2017

Introduction
By default AIX uses NTPv3. This probably works fine for an internal-only situation (I hope), but for a server that also talks with the "outside," I recall that NTP shows up fairly frequently in CVE messages.

Taking a look at what I can find at http://aix.software.ibm.com/aix/efixes/security/, I see several advisories on NTP.

The 7th security advisory on NTP for AIX (from September 13, 2016) lists the following CVEs:

Security Bulletin:  Vulnerabilities in NTP affect AIX
    CVE-2015-7974 CVE-2016-1550 CVE-2016-1551 CVE-2016-2517 CVE-2016-2518
    CVE-2016-2519 CVE-2016-1547 CVE-2016-4957 CVE-2016-4953 CVE-2016-4954
    CVE-2016-4955


There is another advisory (from June 29, 2016) on NTPv4 only that references two CVEs:
    CVE-2014-9297 and CVE-2015-1799

Upon digging deeper, I learned AIX is using NTPv3, but both versions can be installed. You can verify which version you are using by just looking at where /usr/sbin/xntpd points.

lrwxrwxrwx 1 root system 20 Dec 27 11:20 /usr/sbin/xntpd -> /usr/sbin/ntp3/xntpd

I would have preferred that the program names in /usr/sbin/ntp3 and /usr/sbin/ntp4 were the same because then I could have just entered the commands (to test setup):
mkdir /tmp/sbin
ln -sf /usr/sbin/ntp4/* /tmp/sbin

Happy Face
I am so glad I was conservative – and did not immediately activate the ntp4 versions. They simply were not installed! I had misread the documentation as the ntp4 versions “are installed” rather than “can be installed.”

Sad Face
Unfortunately, while AIX does provide NTP4–by default–NTP4 is not on the base DVD for AIX 6.1 and AIX 7.1. If you want NTP4, you need an extension DVD. The fileset is named ntp.rte and NTP3 is part of bos.net.tcp.client. From an old expansion DVD (from 2012) I have:

# installp -d ./installp/ppc/ntp.rte -L
ntp.rte:ntp.rte:6.1.6.0::I:T:::::N:NTP Network Time Protocol::::0::


FYI: The NTP4 advisories above says this is an affected version.
(see ftp://aix.software.ibm.com/aix/efixes/security/ntp4_advisory.asc for exact details)
 
Still Not Enthralled

So why do I still a sad face?

a) NTP4 is not part of the AIX 6.1 default install base DVDs
b) NTP4 was not part of the AIX 7.1 media (the fileset name might have changed to align with AIX 7.2)
c) NTP4 might be a part of AIX 7.2, but I do not own a POWER7 so I cannot verify myself.
d) I cannot find updates to ntp.rte, which is among the filesets updated via SUMA. (I couldn’t find it listed at FixCentral.)

Sigh
Not the content I was expecting for this blog, but it’s honest.

Bits to Remember
NTP3 is/was part of the bos.net.tcp.client fileset. Starting with AIX 7.2 they divided the tcp.server and tcp.client filesets into many smaller filesets, so you could specify what tcp components you installed, rather than all or nothing. AIX 7.1 may be (partially) following this convention.

IMHO: Having the tcp applications split into several filesets is much easier to maintain that the TbD (a.k.a. TrustedbyDefault) install option introduced in AIX 6.1.

Posted February 16, 2017 | Permalink

Post a Comment

Note: Comments are moderated and will not appear until approved

comments powered by Disqus