search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

SETI@home client vulnerable to buffer overflow

Vulnerability Note VU#146785

Original Release Date: 2003-04-07 | Last Revised: 2003-04-09

Overview

A buffer overflow vulnerability in the SETI@home client could allow a remote attacker to execute arbitrary code or cause the SETI@home client to fail. An exploit for this vulnerability is known to exist and may be circulating.

Description

From the SETI@home website:

SETI@home is a scientific experiment that uses Internet-connected computers in the Search for Extraterrestrial Intelligence (SETI). You can participate by running a free program that downloads and analyzes radio telescope data.
A remotely exploitable buffer overflow in the SETI@home client may allow a remote attacker to execute arbitrary code with the privileges of the victim running SETI@home, or cause the SETI@home client to fail. For more details, please see the advisory written by Berend-Jan Wever.

Impact

A remote attacker may be able to execute arbitrary code with the privileges of the victim running SETI@home, or cause the SETI@home client to fail.

Solution

SETI@home has provided an updated client that resolves this vulnerability.

Vendor Information

146785
 
Expand all

FreeBSD Affected

Updated:  April 08, 2003

Status

Affected

Vendor Statement

See FreeBSD-SN-03:02.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Gentoo Linux Affected

Updated:  April 09, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see GLSA 200304-03.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SETI@home Affected

Updated:  April 07, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see http://setiathome.berkeley.edu/version308.html.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was discovered by Berend-Jan Wever.

This document was written by Ian A Finlay.

Other Information

CVE IDs: None
Severity Metric: 14.06
Date Public: 2003-04-06
Date First Published: 2003-04-07
Date Last Updated: 2003-04-09 13:00 UTC
Document Revision: 9

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis