Risk | High |
Patch available | YES |
Number of vulnerabilities | 8 |
CVE-ID | CVE-2024-6675 CVE-2024-6805 CVE-2024-6806 CVE-2024-6794 CVE-2024-6793 CVE-2024-6791 |
CWE-ID | CWE-502 CWE-749 CWE-22 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
VeriStand Other software / Other software solutions |
Vendor | National Instruments |
Security Bulletin
This security bulletin contains information about 8 vulnerabilities.
EUVDB-ID: #VU96194
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6675
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can trick a victim to open a specially crafted NIVSPRJ file and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVeriStand: 2020 - 2024
CPE2.3http://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/deserialization-of-untrusted-data-vulnerability-in-ni-veristand-project-file.html
http://www.zerodayinitiative.com/advisories/ZDI-24-1031/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU96220
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6805
CWE-ID:
CWE-749 - Exposed Dangerous Method or Function
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the system.
The vulnerability exists due to exposed dangerous method or function within the processing of service requests in the ProjectServer component. A remote attacker can perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVeriStand: 2020 - 2024
CPE2.3http://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/missing-authorization-checks-in-ni-veristand-gateway.html
http://www.zerodayinitiative.com/advisories/ZDI-24-1024/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU96219
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6805
CWE-ID:
CWE-749 - Exposed Dangerous Method or Function
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the system.
The vulnerability exists due to exposed dangerous method or function within the IFileTransferServer component. A remote attacker can disclose information in the context of the current user.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVeriStand: 2020 - 2024
CPE2.3http://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/missing-authorization-checks-in-ni-veristand-gateway.html
http://www.zerodayinitiative.com/advisories/ZDI-24-1025/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU96218
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6806
CWE-ID:
CWE-749 - Exposed Dangerous Method or Function
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the system.
The vulnerability exists due to exposed dangerous method or function within the processing of service requests in the ProjectServer component. A remote attacker can execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVeriStand: 2020 - 2024
CPE2.3http://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/missing-authorization-checks-in-ni-veristand-gateway.html
http://www.zerodayinitiative.com/advisories/ZDI-24-1026/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU96217
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6806
CWE-ID:
CWE-749 - Exposed Dangerous Method or Function
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the system.
The vulnerability exists due to exposed dangerous method or function within the processing of service requests in the ProjectServer component. A remote attacker can execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVeriStand: 2020 - 2024
CPE2.3http://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/missing-authorization-checks-in-ni-veristand-gateway.html
http://www.zerodayinitiative.com/advisories/ZDI-24-1027/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU96216
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6794
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data within the processing of service requests in the WaveformStreamingServer component. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVeriStand: 2020 - 2024
CPE2.3http://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/deserialization-of-untrusted-data-vulnerabilities-in-ni-veristand.html
http://www.zerodayinitiative.com/advisories/ZDI-24-1028/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU96212
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6793
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data within the processing of service requests in the DataLoggingServer component. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVeriStand: 2020 - 2024
CPE2.3http://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/deserialization-of-untrusted-data-vulnerabilities-in-ni-veristand.html
http://www.zerodayinitiative.com/advisories/ZDI-24-1029/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU96211
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6791
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can trick a victim to open a specially crafted VSMODEL file and read arbitrary files on the system, leading to arbitrary code execution.
MitigationInstall update from vendor's website.
Vulnerable software versionsVeriStand: 2020 - 2024
CPE2.3http://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/directory-path-traversal-vulnerability-in-ni-veristand-with-vsmodel-files.html
http://www.zerodayinitiative.com/advisories/ZDI-24-1030/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.