SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   IBM Rational ClearCase Vendors:   Rational Software
Rational ClearCase Can Be Crashed By Remote Users Conducting Port Scans
SecurityTracker Alert ID:  1005682
SecurityTracker URL:  http://securitytracker.com/id/1005682
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 22 2002
Impact:   Denial of service via network

Version(s): 4.1 (patches 27, 28) and 2002.05 (patches 9,10)
Description:   A denial of service vulnerability was reported in Rational ClearCase. A remote user can cause the process to crash.

Guardeonic Solutions reported that a remote user can conduct a TCP port scan (using nmap) to cause the process to crash.

A remote user can conduct the following type of nmap scan twice to cause the service to crash:

nmap -vvv -O -sT ip.of.clearcase.system

A remote user can conduct the following type of nmap scan once to cause the service to crash:

nmap -vvv -O -sT -p 371 ip.of.clearcase.system

Impact:   A remote user can cause the service to crash.
Solution:   No solution was available for version 4.1 at the time of this entry. The vendor has released the following patches for ClearCase 2002.05/Solaris Sparc:

clearcase_p2002.05.00-12
clearcase_p2002.05.00-15

Vendor URL:  www.rational.com/products/clearcase/index.jsp (Links to External Site)
Cause:   Exception handling error, State error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Open UNIX-SCO), UNIX (SGI/IRIX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)
Underlying OS Comments:  Confirmed only on Sun Solaris; it is not known if other supported operating systems are affected

Message History:   None.


 Source Message Contents

Subject:  [VulnWatch] ClearCase DoS vulnerabilty


------_=_NextPart_000_01C29209.C164E0D0
Content-Type: text/plain;
	charset="iso-8859-1"

Dear all,

please find attached a security vulnarability advisory
for immediate publishing.

Best regards,

Marek Rouchal, Infineon Technologies AG, Munich, Germany
Stefan Bagdohn, Guardeonic Solutions, Munich, Germany


Summary:

Advisory Name:        ClearCase remote DoS
Release Date:         11/22/02
Affected Product:     Rational (R) ClearCase (R)
Platform:             Solaris 2.5.1 and 8 for sure, other unknown
Version:              4.1 (patches 27, 28) and 2002.05 (patches 9,10)
                      sure, other unknown

Severity:             The ClearCase process listening on TCP port 371
                      can be crashed by performing a simple nmap scan


------_=_NextPart_000_01C29209.C164E0D0
Content-Type: text/plain;
	name="guardadv-03-2002-clearcaseDoS.txt"
Content-Transfer-Encoding: 8bit            
Content-Disposition: attachment;
	filename="guardadv-03-2002-clearcaseDoS.txt"

Guardeonic Solutions AG (www.guardeonic.com)

Security Advisory #03-2002

Advisory Name:        ClearCase remote DoS
Release Date:         11/22/02
Affected Product:     Rational (R) ClearCase (R)
Platform:             Solaris 2.5.1 and 8 for sure, other unknown
Version:              4.1 (patches 27, 28) and 2002.05 (patches 9,10)
                      sure, other unknown

Severity:             The ClearCase process listening on TCP port 371
                      can be crashed by performing a simple nmap scan

Author:               Stefan Bagdohn <stefan.bagdohn@guardeonic.com>
                                     <buggy@segmentationfault.de> 
                      Marek Rouchal  <marek.rouchal@infineon.com>

Vendor Communication: 09/24/02 Initial Notification via email to 
                               support@rational.com
                      09/24/02 Got vendor receipt via email, this is a 
                               known bug since 07/31/02, From vendors
                               email: " We have fixed this issue for the
                               next ClearCase version. A patch is actually
                               under test for fixing this problem in all
                               ClearCase version starting 4.1 The patch is
                               planned to be released in the november
                               bundle."
                      10/15/02 Rational sent three hotfixes (5.0/SUN,
                               4.1/SUN, 4.2/Redhat)
                      10/24/02 We tested the patches: 
                               The hotfix for ClearCase 2002.05/Solaris
                               Sparc works ok, The hotfix for ClearCase
                               4.1/Solaris Sparc DOES NOT WORK, i.e.
                               albd_server terminates after a port scan.
                               Email was sent to vendor asking to fix
                               it until 10/31 (this year)
                      10/28/02 Mail from vendor, asking for the exact
                               patchlevel of the server (and the order
                               of patches applied)
                      10/29/02 Provided Rational with the information
                      11/03/02 Mail to vendor, because there are no patches
                               available yet!
                      11/04/02 Answer from Rational: Will be delivered
                               mid of november (11/14, 11/15 or 11/18)
                      11/18/02 Rational provides the patch bundle
                      11/21/02 Tested the patch with following result:
                               ClearCase 4.1/Solaris Sparc crashes as
                               seen before.
                               We are no longer willing to hold back
                               this advisory as it is A) a serious bug 
                               and B) perhaps a indicator that Rational
                               is 1) not willing to fix the bug or 
                               2) not able to do so. However, it is
                               not acceptable.

Overview:

(From vendors website): ... Rational(R) ClearCase(R), a robust software
artifact management tool. (end of vendor citation)

ClearCase is a version controling, workspace management, build
management and process configuration tool. In short: it can do anything
but making coffee.

The service can easily be crashed by performing a simple tcp portscan
via nmap.

Decription:

We have seen two different behaviours:

A) When performing a portscan of the target system with nmap the TCP port
371 is show as open. Starting a second scan right after the first one
has finished the port is reported open again, but the process crashes.

B) A second test, scanning only one port, crashes the service with
only performing one scan.

Example:

A) Executing

nmap -vvv -O -sT ip.of.clearcase.system

two times will lead to the following message in the logs the of
the clearcase system (/var/adm/atria/log/albd_log):

09/24/02 14:55:23 albd_server(7677): Error: Operation "accept"
failed: Software caused connection abort.
09/24/02 14:55:23 albd_server(7677): Ok: Exiting, status = 0

The service is no longer available afterwards.

B) By executing

nmap -vvv -O -sT -p 371 ip.of.clearcase.system

one time, the services crashed immediately. (Note: nmap cannot
even finish its OS detection.)

Nmap version used was 3.00 on a linux system.

Solution:

Working patches for ClearCase 2002.05/Solaris Sparc available
from Rational since Nov-14-2002 (clearcase_p2002.05.00-12 and 
clearcase_p2002.05.00-15).
Solution for 4.1: none! 

Credit:

None

EOF



------_=_NextPart_000_01C29209.C164E0D0--


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC