Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Linux Driver National Instruments Remote Code Injection Vulnerability

🗓️ 21 Jul 2018 00:00:00Reported by Enrico WeigeltType 
zdt
 zdt🔗 0day.today👁 47 Views

National Instruments Linux driver 0day vulnerabilit

Code
Hello ,

i've recently discovered a critical vulnerability in the National
Instruments Linux driver package, which opens up an remote code
injection (software update) vulnerability.


Classification:

  CRITICAL / 0day - easily exploitable


Impact:

  Complete takeover of the OS itself
  Takeover of (potentially critical) industrial machinery


Affected product(s):

  NI Linux Device Drivers / July 2018
  http://www.ni.com/download/ni-linux-device-drivers-2018/7664/en/


Affected platforms(s):

  GNU/Linux - RHEL, SLES (other distros aren't supported anyways)


Vulnerability:

  The product adds additional package repositories to the OS'es package
  manager, but disables signature checks and uses plain (unencrypted)
  HTTP for software downloads.

  Further details can be easily seen in the deployed package repository
  configuration file (ni-software-2018.repo).


Attack vectors:

  The victim can be tricked to download/install manipulated updates, eg.
  via MITM, dns spoofing, etc - so the attacker can abuse software
  updates for direct malware deployment and also take over the whole
  operating system (eg. kernel) itself.


Mitigation:

  #1: remove the package 'ni-software-2018'
  #2: make sure, the repo description files are removed:

    SLES:
    /etc/zypp/repos.d/ni-software-2018.repo
    /etc/zypp/vendors.d/ni.conf

    RHEL:
    /etc/yum/repos.d/ni-software-2018.repo

  #3: refresh the package manager index

  This removes the NI repository from the OS'es package manager - the NI
  software now can't be automatically installed/updated via package
  manager anymore.

  In case the operator still trusts the vendor enough to deploy it's
  software, this now has to be done manually (note: the packages can
  only be downloaded via insecure plain HTTP !). It's strongly adviced
  not to install any software from untrusted sources / via untrusted
  channels.

  If an system update (even a minor patch) via package manager was done
  in the meantime, it's *highly* adviced to carefully check all
  installed packages against the original repositories - the system
  easily could be compromised by now !


Solution:

  The vendor (NI) needs to setup proper package signing infrastructure,
  add it's public key to the repo configuration and enable gpgcheck.

#  0day.today [2018-07-22]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
21 Jul 2018 00:00Current
national instrumentslinux driverremote code injectioncriticalos takeoverindustrial machinerysoftware updatepackage repositoryhttpmitmdns spoofingrhelslesvulnerability mitigationvendor solution
47