Guardeonic Solutions AG (www.guardeonic.com) Security Advisory #03-2002 Advisory Name: ClearCase remote DoS Release Date: 11/22/02 Affected Product: Rational (R) ClearCase (R) Platform: Solaris 2.5.1 and 8 for sure, other unknown Version: 4.1 (patches 27, 28) and 2002.05 (patches 9,10) sure, other unknown Severity: The ClearCase process listening on TCP port 371 can be crashed by performing a simple nmap scan Author: Stefan Bagdohn Marek Rouchal Vendor Communication: 09/24/02 Initial Notification via email to support@rational.com 09/24/02 Got vendor receipt via email, this is a known bug since 07/31/02, From vendors email: " We have fixed this issue for the next ClearCase version. A patch is actually under test for fixing this problem in all ClearCase version starting 4.1 The patch is planned to be released in the november bundle." 10/15/02 Rational sent three hotfixes (5.0/SUN, 4.1/SUN, 4.2/Redhat) 10/24/02 We tested the patches: The hotfix for ClearCase 2002.05/Solaris Sparc works ok, The hotfix for ClearCase 4.1/Solaris Sparc DOES NOT WORK, i.e. albd_server terminates after a port scan. Email was sent to vendor asking to fix it until 10/31 (this year) 10/28/02 Mail from vendor, asking for the exact patchlevel of the server (and the order of patches applied) 10/29/02 Provided Rational with the information 11/03/02 Mail to vendor, because there are no patches available yet! 11/04/02 Answer from Rational: Will be delivered mid of november (11/14, 11/15 or 11/18) 11/18/02 Rational provides the patch bundle 11/21/02 Tested the patch with following result: ClearCase 4.1/Solaris Sparc crashes as seen before. We are no longer willing to hold back this advisory as it is A) a serious bug and B) perhaps a indicator that Rational is 1) not willing to fix the bug or 2) not able to do so. However, it is not acceptable. Overview: (From vendors website): ... Rational(R) ClearCase(R), a robust software artifact management tool. (end of vendor citation) ClearCase is a version controling, workspace management, build management and process configuration tool. In short: it can do anything but making coffee. The service can easily be crashed by performing a simple tcp portscan via nmap. Decription: We have seen two different behaviours: A) When performing a portscan of the target system with nmap the TCP port 371 is show as open. Starting a second scan right after the first one has finished the port is reported open again, but the process crashes. B) A second test, scanning only one port, crashes the service with only performing one scan. Example: A) Executing nmap -vvv -O -sT ip.of.clearcase.system two times will lead to the following message in the logs the of the clearcase system (/var/adm/atria/log/albd_log): 09/24/02 14:55:23 albd_server(7677): Error: Operation "accept" failed: Software caused connection abort. 09/24/02 14:55:23 albd_server(7677): Ok: Exiting, status = 0 The service is no longer available afterwards. B) By executing nmap -vvv -O -sT -p 371 ip.of.clearcase.system one time, the services crashed immediately. (Note: nmap cannot even finish its OS detection.) Nmap version used was 3.00 on a linux system. Solution: Working patches for ClearCase 2002.05/Solaris Sparc available from Rational since Nov-14-2002 (clearcase_p2002.05.00-12 and clearcase_p2002.05.00-15). Solution for 4.1: none! Credit: None EOF