Prime95 buffer overflow leads to RCE (CVE-2019-25327)

Patch now - CVE-2019-25327 is a critical buffer overflow in Prime95 version 29.8 build 6 that grants unauthenticated remote attackers arbitrary code execution and a full system backdoor. Update to the latest version immediately.

Overview

A critical security flaw has been identified in Prime95, a widely used application for stress-testing computer hardware and contributing to distributed computing projects. This vulnerability allows a remote attacker to take complete control of an affected system.

Vulnerability Explained

In simple terms, the software contains a fundamental programming error in how it handles user input. Specifically, the fields where a user enters their PrimeNet ID and proxy server information do not properly check the length of the text being entered. An attacker can craft a specially designed, overly long string of code (a malicious payload) and paste it into these fields.

Because there is no length check, this code overflows the designated memory buffer. This overflow corrupts the program’s memory and allows the attacker to hijack the program’s execution flow, forcing it to run their own malicious instructions instead.

Potential Impact

The impact of this vulnerability is severe. By exploiting it, an attacker can execute any code they choose on the victim’s computer with the same privileges as the Prime95 process. In the documented proof-of-concept, this code opens a “bind shell” on network port 3110.

This gives the attacker a remote command-line backdoor into the system, enabling them to:

• Install malware, ransomware, or spyware.
• Steal sensitive data.
• Use the compromised machine to attack other systems on the network.
• Disrupt system stability and performance.

Any system running the affected version of Prime95 is at risk, especially if the software is configured to connect to the PrimeNet network.

Remediation and Mitigation

Immediate action is required to protect vulnerable systems.

1. Update Immediately: The primary and most effective solution is to upgrade to a patched version of Prime95. Users should visit the official Mersenne Research, Inc. website to download and install the latest version, which contains a fix for this buffer overflow.

2. Restrict Network Access: As a temporary mitigation if an immediate update is not possible, use host-based or network firewalls to block inbound connections to port 3110 (and other unnecessary ports) from untrusted networks. This can prevent an attacker from connecting to the backdoor shell.

3. Practice Principle of Least Privilege: Avoid running Prime95 with administrative or root privileges. Running it with a standard user account can limit the potential damage of a successful exploit.

IT professionals should identify any instances of Prime95 version 29.8 build 6 within their environment, prioritize its update, and validate that firewall rules are in place to restrict unnecessary network exposure.