SB2024081230 - Multiple vulnerabilities in NI FlexLogger and SystemLink Server
Published: August 12, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2024-6121)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to use of a vulnerable version of Redis within the product installer. A local user can escalate privileges and execute arbitrary code in the context of SYSTEM.
2) Incorrect Privilege Assignment (CVE-ID: CVE-2024-6122)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to incorrect assignment of permissions to access Redis credentials. A local user can disclose stored credentials.
Remediation
Install update from vendor's website.
References
- https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/ni-systemlink-server-ships-out-of-date-redis-version.html
- https://www.zerodayinitiative.com/advisories/ZDI-24-1032/
- https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/incorrect-default-directory-permissions-for-ni-systemlink-redis-service.html
- https://www.zerodayinitiative.com/advisories/ZDI-24-1033/