SETI@home, GIMPS, ChessBrain allows elevated privileges

seti@home-gain-privileges (18149) The risk level is classified as HighHigh Risk

Description:

SETI@home allows init scripts to execute user-owned files with root privileges. A local attacker could use this vulnerability to gain elevated privileges.


Consequences:

Gain Privileges

Remedy:

For Gentoo Linux containing the gimps package:
Upgrade to the latest version of setiathome (23.9-r1 or later), as listed in Gentoo Linux Security Announcement GLSA 200411-26. See References.

For Gentoo Linux containing the setiathome package:
Upgrade to the latest version of setiathome (3.08-r4 or 3.03-r2 or later), as listed in Gentoo Linux Security Announcement GLSA 200411-26. See References.

For Gentoo Linux containing the chessbrain package:
Upgrade to the latest version of chessbrain (20407-r1 or later), as listed in Gentoo Linux Security Announcement GLSA 200411-26. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

  • BID-11698: Gentoo GIMPS EBuild Insecure Default Permissions Vulnerability
  • BID-11699: Gentoo SETI@home EBuild Insecure Default Permissions Vulnerability
  • BID-11700: Gentoo ChessBrain EBuild Insecure Default Permissions Vulnerability
  • CVE-2004-1115: The init scripts in Search for Extraterrestrial Intelligence (SETI) project 3.08-r3 and earlier execute user-owned programs with root privileges, which allows local users to gain privileges by modifying the programs.
  • CVE-2004-1116: The init scripts in Great Internet Mersenne Prime Search (GIMPS) 23.9 and earlier execute user-owned programs with root privileges, which allows local users to gain privileges by modifying the programs.
  • CVE-2004-1117: The init scripts in ChessBrain 20407 and earlier execute user-owned programs with root privileges, which allows local users to gain privileges by modifying the programs.
  • GLSA-200411-26: GIMPS, SETI@home, ChessBrain: Insecure installation

Platforms Affected:

  • ChessBrain project ChessBrain
  • Gentoo Linux
  • GIMPS GIMPS
  • SETI SETI@home

Reported:

Nov 18, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page