SB2024081230 - Multiple vulnerabilities in NI FlexLogger and SystemLink Server

Description

This security bulletin contains information about 2 vulnerabilities.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2024-6121)

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to use of a vulnerable version of Redis within the product installer. A local user can escalate privileges and execute arbitrary code in the context of SYSTEM.

2) Incorrect Privilege Assignment (CVE-ID: CVE-2024-6122)

CWE-ID: CWE-266 - Incorrect Privilege Assignment

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to incorrect assignment of permissions to access Redis credentials. A local user can disclose stored credentials.

Remediation

Install update from vendor's website.

References

• https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/ni-systemlink-server-ships-out-of-date-redis-version.html
• https://www.zerodayinitiative.com/advisories/ZDI-24-1032/
• https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/incorrect-default-directory-permissions-for-ni-systemlink-redis-service.html
• https://www.zerodayinitiative.com/advisories/ZDI-24-1033/