what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

National Instruments Linux Driver Remote Code Injection

National Instruments Linux Driver Remote Code Injection
Posted Jul 20, 2018
Authored by Enrico Weigelt

The National Instruments Linux driver package suffers from a remote code injection (software update) vulnerability.

tags | advisory, remote
systems | linux
SHA-256 | 583aba1c966b02f9bbfab9bc9ac711477ba3f166b683c8f6625e88147c6c15d7

National Instruments Linux Driver Remote Code Injection

Change Mirror Download
Hello folks,

i've recently discovered a critical vulnerability in the National
Instruments Linux driver package, which opens up an remote code
injection (software update) vulnerability.


Classification:

CRITICAL / 0day - easily exploitable


Impact:

Complete takeover of the OS itself
Takeover of (potentially critical) industrial machinery


Affected product(s):

NI Linux Device Drivers / July 2018
http://www.ni.com/download/ni-linux-device-drivers-2018/7664/en/


Affected platforms(s):

GNU/Linux - RHEL, SLES (other distros aren't supported anyways)


Vulnerability:

The product adds additional package repositories to the OS'es package
manager, but disables signature checks and uses plain (unencrypted)
HTTP for software downloads.

Further details can be easily seen in the deployed package repository
configuration file (ni-software-2018.repo).


Attack vectors:

The victim can be tricked to download/install manipulated updates, eg.
via MITM, dns spoofing, etc - so the attacker can abuse software
updates for direct malware deployment and also take over the whole
operating system (eg. kernel) itself.


Mitigation:

#1: remove the package 'ni-software-2018'
#2: make sure, the repo description files are removed:

SLES:
/etc/zypp/repos.d/ni-software-2018.repo
/etc/zypp/vendors.d/ni.conf

RHEL:
/etc/yum/repos.d/ni-software-2018.repo

#3: refresh the package manager index

This removes the NI repository from the OS'es package manager - the NI
software now can't be automatically installed/updated via package
manager anymore.

In case the operator still trusts the vendor enough to deploy it's
software, this now has to be done manually (note: the packages can
only be downloaded via insecure plain HTTP !). It's strongly adviced
not to install any software from untrusted sources / via untrusted
channels.

If an system update (even a minor patch) via package manager was done
in the meantime, it's *highly* adviced to carefully check all
installed packages against the original repositories - the system
easily could be compromised by now !


Solution:

The vendor (NI) needs to setup proper package signing infrastructure,
add it's public key to the repo configuration and enable gpgcheck.


Final notes:

Since NI is one of few vendors with special certifications, eg. ATEX,
railway, etc, it's likely this hardware can be found in very critical
infrastructure (eg. power plants, factories, etc) and those
potentially could already be compromised by now via driver update.


About the author:

GNU/Linux veteran with strong background in software engineering,
embedded systems, industrial automation, IT infrastructure.

email: info@metux.net
phone: +49-151-27565287


--
Enrico Weigelt, metux IT consult
Free software and Linux embedded engineering
info@metux.net -- +49-151-27565287


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close