------_=_NextPart_000_01C29209.C164E0D0
Content-Type: text/plain;
	charset="iso-8859-1"

Dear all,

please find attached a security vulnarability advisory
for immediate publishing.

Best regards,

Marek Rouchal, Infineon Technologies AG, Munich, Germany
Stefan Bagdohn, Guardeonic Solutions, Munich, Germany


Summary:

Advisory Name:        ClearCase remote DoS
Release Date:         11/22/02
Affected Product:     Rational (R) ClearCase (R)
Platform:             Solaris 2.5.1 and 8 for sure, other unknown
Version:              4.1 (patches 27, 28) and 2002.05 (patches 9,10)
                      sure, other unknown

Severity:             The ClearCase process listening on TCP port 371
                      can be crashed by performing a simple nmap scan


------_=_NextPart_000_01C29209.C164E0D0
Content-Type: text/plain;
	name="guardadv-03-2002-clearcaseDoS.txt"
Content-Transfer-Encoding: 8bit            
Content-Disposition: attachment;
	filename="guardadv-03-2002-clearcaseDoS.txt"

Guardeonic Solutions AG (www.guardeonic.com)

Security Advisory #03-2002

Advisory Name:        ClearCase remote DoS
Release Date:         11/22/02
Affected Product:     Rational (R) ClearCase (R)
Platform:             Solaris 2.5.1 and 8 for sure, other unknown
Version:              4.1 (patches 27, 28) and 2002.05 (patches 9,10)
                      sure, other unknown

Severity:             The ClearCase process listening on TCP port 371
                      can be crashed by performing a simple nmap scan

Author:               Stefan Bagdohn <stefan.bagdohn@guardeonic.com>
                                     <buggy@segmentationfault.de> 
                      Marek Rouchal  <marek.rouchal@infineon.com>

Vendor Communication: 09/24/02 Initial Notification via email to 
                               support@rational.com
                      09/24/02 Got vendor receipt via email, this is a 
                               known bug since 07/31/02, From vendors
                               email: " We have fixed this issue for the
                               next ClearCase version. A patch is actually
                               under test for fixing this problem in all
                               ClearCase version starting 4.1 The patch is
                               planned to be released in the november
                               bundle."
                      10/15/02 Rational sent three hotfixes (5.0/SUN,
                               4.1/SUN, 4.2/Redhat)
                      10/24/02 We tested the patches: 
                               The hotfix for ClearCase 2002.05/Solaris
                               Sparc works ok, The hotfix for ClearCase
                               4.1/Solaris Sparc DOES NOT WORK, i.e.
                               albd_server terminates after a port scan.
                               Email was sent to vendor asking to fix
                               it until 10/31 (this year)
                      10/28/02 Mail from vendor, asking for the exact
                               patchlevel of the server (and the order
                               of patches applied)
                      10/29/02 Provided Rational with the information
                      11/03/02 Mail to vendor, because there are no patches
                               available yet!
                      11/04/02 Answer from Rational: Will be delivered
                               mid of november (11/14, 11/15 or 11/18)
                      11/18/02 Rational provides the patch bundle
                      11/21/02 Tested the patch with following result:
                               ClearCase 4.1/Solaris Sparc crashes as
                               seen before.
                               We are no longer willing to hold back
                               this advisory as it is A) a serious bug 
                               and B) perhaps a indicator that Rational
                               is 1) not willing to fix the bug or 
                               2) not able to do so. However, it is
                               not acceptable.

Overview:

(From vendors website): ... Rational(R) ClearCase(R), a robust software
artifact management tool. (end of vendor citation)

ClearCase is a version controling, workspace management, build
management and process configuration tool. In short: it can do anything
but making coffee.

The service can easily be crashed by performing a simple tcp portscan
via nmap.

Decription:

We have seen two different behaviours:

A) When performing a portscan of the target system with nmap the TCP port
371 is show as open. Starting a second scan right after the first one
has finished the port is reported open again, but the process crashes.

B) A second test, scanning only one port, crashes the service with
only performing one scan.

Example:

A) Executing

nmap -vvv -O -sT ip.of.clearcase.system

two times will lead to the following message in the logs the of
the clearcase system (/var/adm/atria/log/albd_log):

09/24/02 14:55:23 albd_server(7677): Error: Operation "accept"
failed: Software caused connection abort.
09/24/02 14:55:23 albd_server(7677): Ok: Exiting, status = 0

The service is no longer available afterwards.

B) By executing

nmap -vvv -O -sT -p 371 ip.of.clearcase.system

one time, the services crashed immediately. (Note: nmap cannot
even finish its OS detection.)

Nmap version used was 3.00 on a linux system.

Solution:

Working patches for ClearCase 2002.05/Solaris Sparc available
from Rational since Nov-14-2002 (clearcase_p2002.05.00-12 and 
clearcase_p2002.05.00-15).
Solution for 4.1: none! 

Credit:

None

EOF



------_=_NextPart_000_01C29209.C164E0D0--