Security Bulletin IBM Rational DOORS

Dossier of the Critical Vulnerability Rating CVE-2018-1457

The critical vulnerability CVE-2018-1457 affects all versions of the IBM Rational DOORS software. By exploiting the vulnerability, complete access to the DOORS database can be obtained within seconds.

gradations

The exploitability of the vulnerability varies depending on the "operation mode".

Out-of-the-box operation
This is the mode in which the server is provided by the installer. This operating mode is therefore also the most frequently used.
In this operating mode, the communication between client and server is unencrypted.
Here the attack can be carried out by means of a small script or even by telnet, since the protocol between server and client is a clear text protocol.
The only prerequisite: access to the TCP port of the server (in the standard case, port 36677)

with SSL certificates
When SSL certificates are used on the server and client to encrypt communication, the attack requires a valid client certificate to establish communication with the server. However, the certificate is not used for authorization, but only to establish the communication channel. Therefore, any certificate is sufficient, it does not have to be a certificate of a privileged user.

with active server side security
IBM server side security secures the server with a set of InterOp clients, which should check each request to the server before it runs. However, for this to work, they require privileged access to the database. This can be exploited by posing as an "interop" client to the server. In this case, the security checks that apply to requests from normal clients in this mode of operation are omitted.
This operating module can be combined with the use of SSL certificates.

Rating


Data
Because IBM Rational DOORS software is software that collects, stores, and manages requests, it usually contains data that is classified as confidential or even secret.

Distribution
The software is clearly to be called the market leader in terms of distribution. The industries that use this software are therefore also correspondingly diversified (for example, automotive groups, automotive suppliers, aircraft manufacturers, insurance companies, public administration, defense contractors, armed forces ...)

Attack complexity
To exploit the vulnerability, only access to the TCP port of the server (and if SSL certificates are used: a valid client certificate) is required.
If this is easy for an employee or external service provider to achive that, there is an urgent need to act to prevent a possible outflow of information.

Pprobability of detection
Because the vulnerability exists because of the software architecture and has existed for decades, it is possible that it has been exploited in the past.
In various forums, code fragments of a replicated client have already circulated in the past, which could have been used for this purpose.

Conclusion
With the required knowledge, every standard installation of a DOORS server can be read and manipulated by an attacker if the attacker has access to the network. Since no admin rights are required and malware can be developed in a short time (1-2 days), the danger posed by the vulnerability is great.

Classification

Contrary to the manufacturer information from IBM, we come to the following classification:
(Differences are marked in bold)

Cvss Basis Score - 9.8

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Cvss Temporal Score - 9.3

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:W/RC:C

Causes

The architecture of IBM Rational DOORS provides for a full implementation of all security checks on the client. The data on the server is stored in thousands of individual files that the client retrieves from the server. The server does not perform any rights checks, but delivers all data without further testing, unless IBM's Server Side Securty has been additionally implemented.

Solutions

Both of these solutions are basically a work-around that implements an additional check on the commands sent by the client. Both solutions prevent unauthorized access to the database.

Server side security as of version 9.6.1.11

From the DOORS server version 9.6.1.11 there is an additional option "-secureInteropbyIP" with which the DOORS server can be started. After this, only clients that are logged in as Interop clients whose IP address is in a whitelist file (whitelist.dat in the server's Doors Data folder) can log on. Versions prior to 9.6.1.11 do not provide protection against the vulnerability!
Note: This solution is maintained by IBM as an official fix of the above vulnerability and therefore the IBM vulnerability is officially considered resolved.

requisis_DSP

requisis_DSP works as a security proxy and is placed "in front" of the DOORS server.
For each user an individual certificate is used here, in which all DOORS users are coded, with whom
the user is allowed to log on. The connection from the client does not take place directly to the DOORS database, but to requisis_DSP.
Each read and write access checks whether one of the stored users is authorized to read or write. Only then will the request be forwarded to the server. If a malicious client or hacking tool tries to read or write unauthorized data from the server, the requests are not passed to the server.

We help you to protect your data


On-site audit

To check if your DOORS server is affected, we offer audit events where we will work with you to see if your system is affected. On request, we will demonstrate the various attacks live.
Please understand that we do not hand over the tools and code used for the attack for security reasons and that we do not perform any audits remotely.
We are happy to provide you with a video with an exemplary attack.

Providing a solution

We will gladly assist you with the installation of a solution to protect your server against possible attacks or execute them for you. You can choose between two available solutions or alternative approaches. We would be pleased to advise you on which solutions have which advantages and disadvantages and together with you will find the optimal solution for you.

Ihr Ansprechparter

Nikolai Stein-Cieslak
Telefon:+49 (30) 536506-711
Fax:+49 (30) 536506-311
E-Mail:nikolai.stein@requisis.com

Headquarter
REQUISIS GmbH
Walter-Benjamin-Platz 8
10629 Berlin
Germany

Telefon: +49 (30) / 53 65 06 -700
Fax: +49 (30) / 53 65 06 -300
E-Mail: info@requisis.com