はじめに
AIX の NIM に対して CVSS 9.6 ~ 10 の脆弱性が報告されました。
CVSS スコアが高いので気になり確認しました。
Security Bulletin: AIX is vulnerable to arbitrary command execution (CVE-2024-56346, CVE-2024-56347)
AIX と VIOS に影響がありますが、修正を含む SP (Service Pack) はまだリリースされていないようです。
ここでは fix の内容確認および NIM サーバーに ifix を適用したログを記載します。
環境
・AIX 7.2 TL5 SP9 (NIMマスター)
# oslevel -s
7200-05-09-2446
NIMマスターサーバーのため、nim master と nim spot を追加導入しています。
# lslpp -l | grep nim
bos.sysmgt.nim.client 7.2.5.203 COMMITTED Network Install Manager -
bos.sysmgt.nim.master 7.2.5.204 COMMITTED Network Install Manager -
bos.sysmgt.nim.spot 7.2.5.203 COMMITTED Network Install Manager - SPOT
bos.sysmgt.nim.client 7.2.5.203 COMMITTED Network Install Manager -
fix のダウンロード
以下からダウンロードしました。
nim_fix.tar を解凍すると、すべての ifix が含まれていました。
- 対象サーバーに配置し、checksum を確認します。
# openssl dgst -sha256 IJ53757m9b.250317.epkg.Z
SHA2-256(IJ53757m9b.250317.epkg.Z)= db4490ffd919679f9d7dd42897d00444b7e185c4a535967c6f422f3091c63cb5
#
README 確認
SL Mode for Secure Communication Between NIM Master and Client:
These iFixes enable secure data transmission between the NIM master and
clients using SSL/TLS, enhancing communication security.
Important Notes:
- If your NIM environment is already configured for SSL, no additional
SSL-related actions are required.
- Installation Order: Install the iFix on clients first, then on the
master. Installing it on the master first will break communication,
preventing further updates to clients from the master. In large
environments, it's strongly recommended to install the iFix on all
clients first.
- Applying the iFix will automatically restart the nimesis daemon as
part of the post-installation script.
- For environments without SSL, enabling SSL is recommended to fully
utilize the security enhancements provided by this iFix.
- Refer to the official AIX documentation for enabling cryptographic
authentication:
https://www.ibm.com/docs/en/aix/7.3?topic=communication-enabling-cryptographic-authentication
- The iFix should be installed on all NIM network members or none.
- If the NIM master operates in SSL mode, all NIM clients must also use
SSL mode.
NIM クライアントから適用し、最後に NIM マスター・サーバーへ適用する順序が記載されています。
ifix の適用により nimesis デーモンが再起動されます。
SSL 通信の構成が推奨されています。
NIM 通信を行うすべてのサーバーに適用するか、全く適用しないかの選択肢が記載されています。
インストール・プレビュー
"emgr -e /work/IJ53757m9b.250317.epkg.Z -p" を実行。出力を折りたたんでいます。
# emgr -e /work/IJ53757m9b.250317.epkg.Z -p
*******************************************************************************
EFIX MANAGER PREVIEW START
*******************************************************************************
+-----------------------------------------------------------------------------+
Efix Manager Initialization
+-----------------------------------------------------------------------------+
Initializing log /var/adm/ras/emgr.log ...
Efix package file is: /work/IJ53757m9b.250317.epkg.Z
MD5 generating command is /usr/bin/csum
MD5 checksum is e6527ca23fa00dbddb3b76a6d2661424
Accessing efix metadata ...
Processing efix label "IJ53757m9b" ...
Verifying efix control file ...
+-----------------------------------------------------------------------------+
Installp Prerequisite Verification
+-----------------------------------------------------------------------------+
Verifying prerequisite file ...
Checking prerequisites ...
Prerequisite Number: 1
Fileset: bos.sysmgt.nim.client
Minimal Level: 7.2.5.203
Maximum Level: 7.2.5.203
Actual Level: 7.2.5.203
Type: PREREQ
Requisite Met: yes
Prerequisite Number: 2
Fileset: bos.sysmgt.nim.master
Minimal Level: 7.2.5.204
Maximum Level: 7.2.5.204
Actual Level: 7.2.5.204
Type: PREREQ
Requisite Met: yes
All prerequisites have been met.
+-----------------------------------------------------------------------------+
Processing APAR reference file
+-----------------------------------------------------------------------------+
ATTENTION: Interim fix is enabled for automatic removal by installp.
+-----------------------------------------------------------------------------+
Efix Attributes
+-----------------------------------------------------------------------------+
LABEL: IJ53757m9b
PACKAGING DATE: Mon Mar 17 09:03:41 CDT 2025
ABSTRACT: IJ53757 POTENTIAL SECURITY ISSUE
PACKAGER VERSION: 7
VUID: 00F7CD554C00031709034125
REBOOT REQUIRED: no
BUILD BOOT IMAGE: no
LU CAPABLE: yes
PRE-REQUISITES: yes
SUPERSEDE: no
PACKAGE LOCKS: no
E2E PREREQS: no
FIX TESTED: no
ALTERNATE PATH: None
EFIX FILES: 7
Install Scripts:
PRE_INSTALL: no
POST_INSTALL: yes
PRE_REMOVE: no
POST_REMOVE: no
File Number: 1
LOCATION: /usr/lib/libnim.a
FILE TYPE: Standard (file or executable)
INSTALLER: installp
SIZE: 1888
ACL: DEFAULT
CKSUM: 24031
PACKAGE: bos.sysmgt.nim.client
MOUNT INST: no
File Number: 2
LOCATION: /usr/lpp/bos.sysmgt/nim/methods/c_sync
FILE TYPE: Standard (file or executable)
INSTALLER: installp
SIZE: 32
ACL: DEFAULT
CKSUM: 42472
PACKAGE: bos.sysmgt.nim.master
MOUNT INST: no
File Number: 3
LOCATION: /usr/sbin/nimclient
FILE TYPE: Standard (file or executable)
INSTALLER: installp
SIZE: 104
ACL: DEFAULT
CKSUM: 59814
PACKAGE: bos.sysmgt.nim.client
MOUNT INST: no
File Number: 4
LOCATION: /usr/sbin/nimconfig
FILE TYPE: Standard (file or executable)
INSTALLER: installp
SIZE: 80
ACL: DEFAULT
CKSUM: 48827
PACKAGE: bos.sysmgt.nim.master
MOUNT INST: no
File Number: 5
LOCATION: /usr/sbin/nimesis
FILE TYPE: Standard (file or executable)
INSTALLER: installp
SIZE: 192
ACL: DEFAULT
CKSUM: 33179
PACKAGE: bos.sysmgt.nim.master
MOUNT INST: no
File Number: 6
LOCATION: /usr/sbin/niminit
FILE TYPE: Standard (file or executable)
INSTALLER: installp
SIZE: 56
ACL: DEFAULT
CKSUM: 26281
PACKAGE: bos.sysmgt.nim.client
MOUNT INST: no
File Number: 7
LOCATION: /usr/samples/nim/ssl/SSL_Makefile.mk
FILE TYPE: Standard (file or executable)
INSTALLER: installp
SIZE: 16
ACL: DEFAULT
CKSUM: 04120
PACKAGE: bos.sysmgt.nim.client
MOUNT INST: no
+-----------------------------------------------------------------------------+
Efix Description
+-----------------------------------------------------------------------------+
IJ53757 - a potential security issue exists
IJ53813 - a potential security issue exists
IJ53812 - a potential security issue exists
IJ53811 - a potential security issue exists
IJ53914 - a potential security issue exists
IJ53915 - a potential security issue exists
+-----------------------------------------------------------------------------+
Efix Lock Management
+-----------------------------------------------------------------------------+
Checking locks for file /usr/lib/libnim.a ...
Checking locks for file /usr/lpp/bos.sysmgt/nim/methods/c_sync ...
Checking locks for file /usr/sbin/nimclient ...
Checking locks for file /usr/sbin/nimconfig ...
Checking locks for file /usr/sbin/nimesis ...
Checking locks for file /usr/sbin/niminit ...
Checking locks for file /usr/samples/nim/ssl/SSL_Makefile.mk ...
All files have passed lock checks.
+-----------------------------------------------------------------------------+
Space Requirements
+-----------------------------------------------------------------------------+
Checking space requirements ...
Space statistics (in 512 byte-blocks):
File system: /usr, Free: 880984, Required: 6374, Deficit: 0.
File system: /tmp, Free: 521152, Required: 5238, Deficit: 0.
+-----------------------------------------------------------------------------+
Reboot Processing
+-----------------------------------------------------------------------------+
Reboot is not required by this efix package.
*******************************************************************************
EFIX MANAGER PREVIEW END
*******************************************************************************
+-----------------------------------------------------------------------------+
Operation Summary
+-----------------------------------------------------------------------------+
Log file is /var/adm/ras/emgr.log
EPKG NUMBER LABEL OPERATION RESULT
=========== ============== ================= ==============
1 IJ53757m9b INSTALL PREVIEW SUCCESS
Return Status = SUCCESS
#
(参考) emgr コマンド:https://www.ibm.com/docs/ja/aix/7.2?topic=e-emgr-command
ifix インストール
time emgr -e IJ53757m9b.250317.epkg.Z -Xを実行。出力を折りたたんでいます。
# time emgr -e IJ53757m9b.250317.epkg.Z -X
+-----------------------------------------------------------------------------+
Efix Manager Initialization
+-----------------------------------------------------------------------------+
Initializing log /var/adm/ras/emgr.log ...
Efix package file is: /work/IJ53757m9b.250317.epkg.Z
MD5 generating command is /usr/bin/csum
MD5 checksum is e6527ca23fa00dbddb3b76a6d2661424
Accessing efix metadata ...
Processing efix label "IJ53757m9b" ...
Verifying efix control file ...
+-----------------------------------------------------------------------------+
Installp Prerequisite Verification
+-----------------------------------------------------------------------------+
Verifying prerequisite file ...
Checking prerequisites ...
Prerequisite Number: 1
Fileset: bos.sysmgt.nim.client
Minimal Level: 7.2.5.203
Maximum Level: 7.2.5.203
Actual Level: 7.2.5.203
Type: PREREQ
Requisite Met: yes
Prerequisite Number: 2
Fileset: bos.sysmgt.nim.master
Minimal Level: 7.2.5.204
Maximum Level: 7.2.5.204
Actual Level: 7.2.5.204
Type: PREREQ
Requisite Met: yes
All prerequisites have been met.
+-----------------------------------------------------------------------------+
Processing APAR reference file
+-----------------------------------------------------------------------------+
ATTENTION: Interim fix is enabled for automatic removal by installp.
+-----------------------------------------------------------------------------+
Efix Attributes
+-----------------------------------------------------------------------------+
LABEL: IJ53757m9b
PACKAGING DATE: Mon Mar 17 09:03:41 CDT 2025
ABSTRACT: IJ53757 POTENTIAL SECURITY ISSUE
PACKAGER VERSION: 7
VUID: 00F7CD554C00031709034125
REBOOT REQUIRED: no
BUILD BOOT IMAGE: no
LU CAPABLE: yes
PRE-REQUISITES: yes
SUPERSEDE: no
PACKAGE LOCKS: no
E2E PREREQS: no
FIX TESTED: no
ALTERNATE PATH: None
EFIX FILES: 7
Install Scripts:
PRE_INSTALL: no
POST_INSTALL: yes
PRE_REMOVE: no
POST_REMOVE: no
File Number: 1
LOCATION: /usr/lib/libnim.a
FILE TYPE: Standard (file or executable)
INSTALLER: installp
SIZE: 1888
ACL: DEFAULT
CKSUM: 24031
PACKAGE: bos.sysmgt.nim.client
MOUNT INST: no
File Number: 2
LOCATION: /usr/lpp/bos.sysmgt/nim/methods/c_sync
FILE TYPE: Standard (file or executable)
INSTALLER: installp
SIZE: 32
ACL: DEFAULT
CKSUM: 42472
PACKAGE: bos.sysmgt.nim.master
MOUNT INST: no
File Number: 3
LOCATION: /usr/sbin/nimclient
FILE TYPE: Standard (file or executable)
INSTALLER: installp
SIZE: 104
ACL: DEFAULT
CKSUM: 59814
PACKAGE: bos.sysmgt.nim.client
MOUNT INST: no
File Number: 4
LOCATION: /usr/sbin/nimconfig
FILE TYPE: Standard (file or executable)
INSTALLER: installp
SIZE: 80
ACL: DEFAULT
CKSUM: 48827
PACKAGE: bos.sysmgt.nim.master
MOUNT INST: no
File Number: 5
LOCATION: /usr/sbin/nimesis
FILE TYPE: Standard (file or executable)
INSTALLER: installp
SIZE: 192
ACL: DEFAULT
CKSUM: 33179
PACKAGE: bos.sysmgt.nim.master
MOUNT INST: no
File Number: 6
LOCATION: /usr/sbin/niminit
FILE TYPE: Standard (file or executable)
INSTALLER: installp
SIZE: 56
ACL: DEFAULT
CKSUM: 26281
PACKAGE: bos.sysmgt.nim.client
MOUNT INST: no
File Number: 7
LOCATION: /usr/samples/nim/ssl/SSL_Makefile.mk
FILE TYPE: Standard (file or executable)
INSTALLER: installp
SIZE: 16
ACL: DEFAULT
CKSUM: 04120
PACKAGE: bos.sysmgt.nim.client
MOUNT INST: no
+-----------------------------------------------------------------------------+
Efix Description
+-----------------------------------------------------------------------------+
IJ53757 - a potential security issue exists
IJ53813 - a potential security issue exists
IJ53812 - a potential security issue exists
IJ53811 - a potential security issue exists
IJ53914 - a potential security issue exists
IJ53915 - a potential security issue exists
+-----------------------------------------------------------------------------+
Efix Lock Management
+-----------------------------------------------------------------------------+
Checking locks for file /usr/lib/libnim.a ...
Checking locks for file /usr/lpp/bos.sysmgt/nim/methods/c_sync ...
Checking locks for file /usr/sbin/nimclient ...
Checking locks for file /usr/sbin/nimconfig ...
Checking locks for file /usr/sbin/nimesis ...
Checking locks for file /usr/sbin/niminit ...
Checking locks for file /usr/samples/nim/ssl/SSL_Makefile.mk ...
All files have passed lock checks.
+-----------------------------------------------------------------------------+
Space Requirements
+-----------------------------------------------------------------------------+
Checking space requirements ...
Space statistics (in 512 byte-blocks):
File system: /usr, Free: 880984, Required: 6374, Deficit: 0.
File system: /tmp, Free: 521152, Required: 5238, Deficit: 0.
+-----------------------------------------------------------------------------+
Efix Installation Setup
+-----------------------------------------------------------------------------+
Unpacking efix package file ...
trustchk: Stanza not found: /usr/samples/nim/ssl/SSL_Makefile.mk
Initializing efix installation ...
+-----------------------------------------------------------------------------+
Efix State
+-----------------------------------------------------------------------------+
Setting efix state to: INSTALLING
+-----------------------------------------------------------------------------+
File Archiving
+-----------------------------------------------------------------------------+
Saving all files that will be replaced ...
Save directory is: /usr/emgrdata/efixdata/IJ53757m9b/save
File 1: Saving /usr/lib/libnim.a as EFSAVE1 ...
File 2: Saving /usr/lpp/bos.sysmgt/nim/methods/c_sync as EFSAVE2 ...
File 3: Saving /usr/sbin/nimclient as EFSAVE3 ...
File 4: Saving /usr/sbin/nimconfig as EFSAVE4 ...
File 5: Saving /usr/sbin/nimesis as EFSAVE5 ...
File 6: Saving /usr/sbin/niminit as EFSAVE6 ...
File 7: Saving /usr/samples/nim/ssl/SSL_Makefile.mk as EFSAVE7 ...
+-----------------------------------------------------------------------------+
Efix File Installation
+-----------------------------------------------------------------------------+
Installing all efix files:
Installing efix file #1 (File: /usr/lib/libnim.a) ...
Successfully updated the Kernel Authorization Table.
Successfully updated the Kernel Role Table.
Successfully updated the Kernel Command Table.
Successfully updated the Kernel Device Table.
Successfully updated the Kernel Object Domain Table.
Successfully updated the Kernel Domains Table.
Successfully updated the Kernel RBAC log level.
Installing efix file #2 (File: /usr/lpp/bos.sysmgt/nim/methods/c_sync) ...
Successfully updated the Kernel Authorization Table.
Successfully updated the Kernel Role Table.
Successfully updated the Kernel Command Table.
Successfully updated the Kernel Device Table.
Successfully updated the Kernel Object Domain Table.
Successfully updated the Kernel Domains Table.
Successfully updated the Kernel RBAC log level.
Installing efix file #3 (File: /usr/sbin/nimclient) ...
Successfully updated the Kernel Authorization Table.
Successfully updated the Kernel Role Table.
Successfully updated the Kernel Command Table.
Successfully updated the Kernel Device Table.
Successfully updated the Kernel Object Domain Table.
Successfully updated the Kernel Domains Table.
Successfully updated the Kernel RBAC log level.
Installing efix file #4 (File: /usr/sbin/nimconfig) ...
Successfully updated the Kernel Authorization Table.
Successfully updated the Kernel Role Table.
Successfully updated the Kernel Command Table.
Successfully updated the Kernel Device Table.
Successfully updated the Kernel Object Domain Table.
Successfully updated the Kernel Domains Table.
Successfully updated the Kernel RBAC log level.
Installing efix file #5 (File: /usr/sbin/nimesis) ...
Successfully updated the Kernel Authorization Table.
Successfully updated the Kernel Role Table.
Successfully updated the Kernel Command Table.
Successfully updated the Kernel Device Table.
Successfully updated the Kernel Object Domain Table.
Successfully updated the Kernel Domains Table.
Successfully updated the Kernel RBAC log level.
Installing efix file #6 (File: /usr/sbin/niminit) ...
Successfully updated the Kernel Authorization Table.
Successfully updated the Kernel Role Table.
Successfully updated the Kernel Command Table.
Successfully updated the Kernel Device Table.
Successfully updated the Kernel Object Domain Table.
Successfully updated the Kernel Domains Table.
Successfully updated the Kernel RBAC log level.
Installing efix file #7 (File: /usr/samples/nim/ssl/SSL_Makefile.mk) ...
Total number of efix files installed is 7.
All efix files installed successfully.
+-----------------------------------------------------------------------------+
Package Locking
+-----------------------------------------------------------------------------+
Processing package locking for all files.
File 1: locking installp fileset bos.sysmgt.nim.client.
File 2: locking installp fileset bos.sysmgt.nim.master.
File 3: installp fileset bos.sysmgt.nim.client is already locked by emgr.
File 4: installp fileset bos.sysmgt.nim.master is already locked by emgr.
File 5: installp fileset bos.sysmgt.nim.master is already locked by emgr.
File 6: installp fileset bos.sysmgt.nim.client is already locked by emgr.
File 7: installp fileset bos.sysmgt.nim.client is already locked by emgr.
All package locks processed successfully.
+-----------------------------------------------------------------------------+
Post-Install Script
+-----------------------------------------------------------------------------+
Executing post-install script ...
0513-044 The nimesis Subsystem was requested to stop.
0513-059 The nimesis Subsystem has been started. Subsystem PID is 12321088.
Return code from post-install script is: 0
+-----------------------------------------------------------------------------+
Reboot Processing
+-----------------------------------------------------------------------------+
Reboot is not required by this efix package.
+-----------------------------------------------------------------------------+
Efix State
+-----------------------------------------------------------------------------+
Setting efix state to: STABLE
+-----------------------------------------------------------------------------+
Operation Summary
+-----------------------------------------------------------------------------+
Log file is /var/adm/ras/emgr.log
EPKG NUMBER LABEL OPERATION RESULT
=========== ============== ================= ==============
1 IJ53757m9b INSTALL SUCCESS
Return Status = SUCCESS
real 0m38.05s
user 0m11.72s
sys 0m4.64s
変更するファイルはログに出ていてわかりやすいです。
適用は40秒弱でした。
確認
# emgr -l
ID STATE LABEL INSTALL TIME UPDATED BY ABSTRACT
=== ===== ========== ================= ========== ======================================
1 S IJ53757m9b 04/18/25 19:49:08 IJ53757 POTENTIAL SECURITY ISSUE
STATE codes:
S = STABLE
M = MOUNTED
U = UNMOUNTED
Q = REBOOT REQUIRED
B = BROKEN
I = INSTALLING
R = REMOVING
T = TESTED
P = PATCHED
N = NOT PATCHED
SP = STABLE + PATCHED
SN = STABLE + NOT PATCHED
QP = BOOT IMAGE MODIFIED + PATCHED
QN = BOOT IMAGE MODIFIED + NOT PATCHED
RQ = REMOVING + REBOOT REQUIRED
- ファイルセットのレベルに変更はありませんでした。
# lslpp -l | grep nim
bos.sysmgt.nim.client 7.2.5.203 COMMITTED Network Install Manager -
bos.sysmgt.nim.master 7.2.5.204 COMMITTED Network Install Manager -
bos.sysmgt.nim.spot 7.2.5.203 COMMITTED Network Install Manager - SPOT
bos.sysmgt.nim.client 7.2.5.203 COMMITTED Network Install Manager -
ファイルセット詳細を見ると、bos.sysmgt.nim.master と bos.sysmgt.nim.client は EFIXLOCKED が表示されており、efix が適用されたことが確認できます。
# lslpp -l bos.sysmgt.nim.master
Fileset Level State Description
----------------------------------------------------------------------------
Path: /usr/lib/objrepos
bos.sysmgt.nim.master 7.2.5.204 COMMITTED Network Install Manager -
Master Tools
EFIXLOCKED
# lslpp -l bos.sysmgt.nim.client
Fileset Level State Description
----------------------------------------------------------------------------
Path: /usr/lib/objrepos
bos.sysmgt.nim.client 7.2.5.203 COMMITTED Network Install Manager -
Client Tools
EFIXLOCKED
Path: /etc/objrepos
bos.sysmgt.nim.client 7.2.5.203 COMMITTED Network Install Manager -
Client Tools
EFIXLOCKED
bos.sysmgt.nim.spot には EFIXLOCKED の表示はなく、spot のファイルセットには ifix には関連しなかったと推測します。
# lslpp -l bos.sysmgt.nim.spot
Fileset Level State Description
----------------------------------------------------------------------------
Path: /usr/lib/objrepos
bos.sysmgt.nim.spot 7.2.5.203 COMMITTED Network Install Manager - SPOT
おわりに
これまでは NIM 通信を SSL で構成する設計はあまり見かけませんでしたが、これからは SSL 構成が推奨されるか、デフォルトになるのかもしれません。
以上です。