|
|
|
|
| |
| ClearCase is a version controlling, workspace management, build management and process configuration tool. The ClearCase process listening on TCP port 371 can be crashed by performing a simple nmap scan. This would allow a remote attacker to stop other legitimate users from using the product. |
| |
Credit:
The information has been provided by Stefan Bagdohn and Marek Rouchal .
|
| |
Vulnerable systems:
* ClearCase version 4.1 (patches 27, 28) and 2002.05 (patches 9,10)
Stefan and Marek have seen two different behaviors:
A) When performing a port scan of the target system with nmap the TCP port 371 is show as open. Starting a second scan right after the first one has finished the port is reported open again, but the process crashes.
B) A second test, scanning only one port, crashes the service with only performing one scan.
Example:
A) Executing
nmap -vvv -O -sT ip.of.clearcase.system
Two times will lead to the following message in the logs the of the clearcase system (/var/adm/atria/log/albd_log):
09/24/02 14:55:23 albd_server(7677): Error: Operation "accept" failed: Software caused connection abort.
09/24/02 14:55:23 albd_server(7677): Ok: Exiting, status = 0
The service is no longer available afterwards.
B) By executing
nmap -vvv -O -sT -p 371 ip.of.clearcase.system
One time, the services crashed immediately. (Note: nmap cannot even finish its OS detection.)
Nmap version used was 3.00 on a Linux system.
Solution:
Working patches for ClearCase 2002.05/Solaris Sparc available from Rational since Nov-14-2002 (clearcase_p2002.05.00-12 and clearcase_p2002.05.00-15).
Solution for 4.1:
Currently there is no solution.
Vendor Communication:
09/24/02 Initial Notification via email to support@rational.com
09/24/02 Got vendor receipt via email, this is a known bug since 07/31/02, from vendors email: "We have fixed this issue for the next ClearCase version. A patch is actually under test for fixing this problem in all ClearCase version starting 4.1. The patch is planned to be released in the November bundle."
10/15/02 Rational sent three hotfixes (5.0/SUN, 4.1/SUN, 4.2/Redhat)
10/24/02 Stefan and Marek tested the patches: The hotfix for ClearCase 2002.05/Solaris Sparc works ok, the hotfix for ClearCase 4.1/Solaris Sparc DOES NOT WORK, i.e. albd_server terminates after a port scan. Email was sent to vendor asking to fix it until 10/31 (this year)
10/28/02 Mail from vendor, asking for the exact patch level of the server (and the order of patches applied)
10/29/02 Provided Rational with the information
11/03/02 Mail to vendor, because there are no patches available yet!
11/04/02 Answer from Rational: Will be delivered mid of november (11/14, 11/15 or 11/18)
11/18/02 Rational provides the patch bundle
11/21/02 Tested the patch with following result: ClearCase 4.1/Solaris Sparc crashes as seen before. Stefan and Marek are no longer willing to hold back this advisory as it is A) a serious bug and B) perhaps a indicator that Rational is 1) not willing to fix the bug or 2) not able to do so. However, it is not acceptable.
|
|
|
|
|
|
|
|
|
|
