Vulnerability Note VU#146785

SETI@home client vulnerable to buffer overflow

Original Release date: 07 Apr 2003 | Last revised: 09 Apr 2003

Overview

A buffer overflow vulnerability in the SETI@home client could allow a remote attacker to execute arbitrary code or cause the SETI@home client to fail. An exploit for this vulnerability is known to exist and may be circulating.

Description

From the SETI@home website:

    SETI@home is a scientific experiment that uses Internet-connected computers in the Search for Extraterrestrial Intelligence (SETI). You can participate by running a free program that downloads and analyzes radio telescope data.

A remotely exploitable buffer overflow in the SETI@home client may allow a remote attacker to execute arbitrary code with the privileges of the victim running SETI@home, or cause the SETI@home client to fail. For more details, please see the advisory written by Berend-Jan Wever.

Impact

A remote attacker may be able to execute arbitrary code with the privileges of the victim running SETI@home, or cause the SETI@home client to fail.

Solution

SETI@home has provided an updated client that resolves this vulnerability.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
FreeBSDAffected-08 Apr 2003
Gentoo LinuxAffected-09 Apr 2003
SETI@homeAffected-07 Apr 2003
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was discovered by Berend-Jan Wever.

This document was written by Ian A Finlay.

Other Information

  • CVE IDs: Unknown
  • Date Public: 06 Apr 2003
  • Date First Published: 07 Apr 2003
  • Date Last Updated: 09 Apr 2003
  • Severity Metric: 14.06
  • Document Revision: 8

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.