[NEWS] ClearCase Remote DoS

From: support@securiteam.com
Date: 11/22/02

  • Next message: support@securiteam.com: "[NT] Multiple Buffer Overruns RealOne / RealPlayer / RealOne Enterprise" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 22 Nov 2002 19:04:19 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      ClearCase Remote DoS
    ------------------------------------------------------------------------

    SUMMARY

    ClearCase is a version controlling, workspace management, build management
    and process configuration tool. The ClearCase process listening on TCP
    port 371 can be crashed by performing a simple nmap scan. This would allow
    a remote attacker to stop other legitimate users from using the product.

    DETAILS

    Vulnerable systems:
     * ClearCase version 4.1 (patches 27, 28) and 2002.05 (patches 9,10)

    Stefan and Marek have seen two different behaviors:

    A) When performing a port scan of the target system with nmap the TCP port
    371 is show as open. Starting a second scan right after the first one has
    finished the port is reported open again, but the process crashes.

    B) A second test, scanning only one port, crashes the service with only
    performing one scan.

    Example:
    A) Executing

    nmap -vvv -O -sT ip.of.clearcase.system

    Two times will lead to the following message in the logs the of the
    clearcase system (/var/adm/atria/log/albd_log):

    09/24/02 14:55:23 albd_server(7677): Error: Operation "accept" failed:
    Software caused connection abort.
    09/24/02 14:55:23 albd_server(7677): Ok: Exiting, status = 0

    The service is no longer available afterwards.

    B) By executing

    nmap -vvv -O -sT -p 371 ip.of.clearcase.system

    One time, the services crashed immediately. (Note: nmap cannot even finish
    its OS detection.)

    Nmap version used was 3.00 on a Linux system.

    Solution:
    Working patches for ClearCase 2002.05/Solaris Sparc available from
    Rational since Nov-14-2002 (clearcase_p2002.05.00-12 and
    clearcase_p2002.05.00-15).

    Solution for 4.1:
    Currently there is no solution.

    Vendor Communication:
    09/24/02 Initial Notification via email to support@rational.com

    09/24/02 Got vendor receipt via email, this is a known bug since 07/31/02,
    from vendors email: "We have fixed this issue for the next ClearCase
    version. A patch is actually under test for fixing this problem in all
    ClearCase version starting 4.1. The patch is planned to be released in the
    November bundle."

    10/15/02 Rational sent three hotfixes (5.0/SUN, 4.1/SUN, 4.2/Redhat)

    10/24/02 Stefan and Marek tested the patches: The hotfix for ClearCase
    2002.05/Solaris Sparc works ok, the hotfix for ClearCase 4.1/Solaris Sparc
    DOES NOT WORK, i.e. albd_server terminates after a port scan. Email was
    sent to vendor asking to fix it until 10/31 (this year)

    10/28/02 Mail from vendor, asking for the exact patch level of the server
    (and the order of patches applied)

    10/29/02 Provided Rational with the information

    11/03/02 Mail to vendor, because there are no patches available yet!

    11/04/02 Answer from Rational: Will be delivered mid of november (11/14,
    11/15 or 11/18)

    11/18/02 Rational provides the patch bundle

    11/21/02 Tested the patch with following result: ClearCase 4.1/Solaris
    Sparc crashes as seen before. Stefan and Marek are no longer willing to
    hold back this advisory as it is A) a serious bug and B) perhaps a
    indicator that Rational is 1) not willing to fix the bug or 2) not able to
    do so. However, it is not acceptable.

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:stefan.bagdohn@guardeonic.com> Stefan Bagdohn and
    <mailto:marek.rouchal@infineon.com> Marek Rouchal .

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.