Risk | Low |
Patch available | YES |
Number of vulnerabilities | 2 |
CVE-ID | CVE-2024-6121 CVE-2024-6122 |
CWE-ID | CWE-264 CWE-266 |
Exploitation vector | Local |
Public exploit | N/A |
Vulnerable software Subscribe |
FlexLogger Other software / Other software solutions SystemLink Server Other software / Other software solutions |
Vendor | National Instruments |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
EUVDB-ID: #VU95789
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6121
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to use of a vulnerable version of Redis within the product installer. A local user can escalate privileges and execute arbitrary code in the context of SYSTEM.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFlexLogger: 2023 Q2
SystemLink Server: 2024 Q1
External linkshttp://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/ni-systemlink-server-ships-out-of-date-redis-version.html
http://www.zerodayinitiative.com/advisories/ZDI-24-1032/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU95790
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6122
CWE-ID:
CWE-266 - Incorrect Privilege Assignment
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to incorrect assignment of permissions to access Redis credentials. A local user can disclose stored credentials.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSystemLink Server: 2024 Q1
FlexLogger: 2023 Q2
External linkshttp://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/incorrect-default-directory-permissions-for-ni-systemlink-redis-service.html
http://www.zerodayinitiative.com/advisories/ZDI-24-1033/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.