search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Serva32 2.1.0 TFTPD service buffer overflow vulnerability

Vulnerability Note VU#127108

Original Release Date: 2013-05-14 | Last Revised: 2013-05-21

Overview

Serva32 2.1.0 TFTPD service contains a buffer overflow vulnerability.

Description

The Serva32 2.1.0 TFTPD service contains a buffer overflow vulnerability when parsing large read requests. When the application reads in a large buffer the application crashes.

Impact

An unauthenticated attacker can pass large read requests against the application causing it to crash.

Solution

We are currently unaware of a practical solution to this problem.

Restrict Network Access

As a general good security practice, only allow connections from trusted hosts and networks. Restricting access would prevent an attacker from connecting to the service from a blocked network location.

Vendor Information

127108
 
Expand all

Serva Affected

Updated:  May 13, 2013

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 5.4 AV:N/AC:H/Au:N/C:N/I:N/A:C
Temporal 3.9 E:U/RL:W/RC:UC
Environmental 1.1 CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

http://www.vercot.com/~serva/

Acknowledgements

Thanks to Jonathan Christmas a researcher at Solera Networks for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: CVE-2013-0145
Date Public: 2013-05-14
Date First Published: 2013-05-14
Date Last Updated: 2013-05-21 14:05 UTC
Document Revision: 19

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis