Multiple vulnerabilities in NI FlexLogger and SystemLink Server



Published: 2024-08-12
Risk Low
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2024-6121
CVE-2024-6122
CWE-ID CWE-264
CWE-266
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe 		FlexLogger
Other software / Other software solutions

SystemLink Server
Other software / Other software solutions

Vendor National Instruments

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU95789

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-6121

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to use of a vulnerable version of Redis within the product installer. A local user can escalate privileges and execute arbitrary code in the context of SYSTEM.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

FlexLogger: 2023 Q2

SystemLink Server: 2024 Q1

External links

http://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/ni-systemlink-server-ships-out-of-date-redis-version.html
http://www.zerodayinitiative.com/advisories/ZDI-24-1032/


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Incorrect Privilege Assignment

EUVDB-ID: #VU95790

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-6122

CWE-ID: CWE-266 - Incorrect Privilege Assignment

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to incorrect assignment of permissions to access Redis credentials. A local user can disclose stored credentials.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SystemLink Server: 2024 Q1

FlexLogger: 2023 Q2

External links

http://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/incorrect-default-directory-permissions-for-ni-systemlink-redis-service.html
http://www.zerodayinitiative.com/advisories/ZDI-24-1033/


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###