Academic Company Events Community Support Solutions Products & Services Contact NI MyNI
This Document is not yet Rated  Rate this Document

What Is the Nature of Software Vulnerability NI-64BG6SWQ-1?



Primary Software: LabVIEW Development Systems>>LabVIEW Base Development System
Primary Software Version: 2012 SP1
Primary Software Fixed Version: N/A
Secondary Software: LabWindows/CVI Development Systems>>LabWindows/CVI Base Package

Problem:
I’d like to understand how severe software vulnerability NI-64BG6SWQ-1 is so that I can make an informed decision about patching the affected software. What Is the Nature of Software Vulnerability NI-64BG6SWQ-1?

Solution:
You can use the following information to assess the security risk of vulnerability NI-64BG6SWQ-1 to your environment.

Flaw details:
Multiple ActiveX controls contain an ExportStyle() method that allows creation of an arbitrary file with the desired extension at an arbitrary location. An attacker can control file content by setting a ‘Caption’ or ‘FormatString’ property. The vulnerable controls in cwui.ocx are CWNumEdit, CWGraph, CWBoolean, CWSlide, and CWKnob.

Impact and exploitability:
This vulnerability allows remote attackers to execute arbitrary code with the same privileges as the current user. The targeted user must visit a malicious page using Microsoft Internet Explorer or open a malicious Microsoft Office file for an attacker to successfully exploit this vulnerability. National Instruments is not aware of any active attempts to exploit this issue.

CVSS Severity: High

Base Score

Exploitability

Impact

Vector

9.3

8.6

10

(AV:N/AC:M/Au:N/C:C/I:C/A:C)



Affected products:
This vulnerability affects the following major products, but other National Instruments products and versions are affected as well. To determine if your system is affected, download and run the May 2013 Security Verification Tool.

Affected software

Version(s)

LabVIEW

2012 SP1 and previous

LabWindows/CVI

2012 SP1 and previous

Measurement Studio

2013 and previous

TestStand

2012 SP1 and previous

Device Drivers

2013.02 and previous



Resolution:
National Instruments has issued an update to affected products. For more information, refer to How Does NI Security Update 67L8K7QW Affect Me?.

In lieu of patching, users of affected products can add “kill bits” to the registry to prevent vulnerable ActiveX controls from being loaded in Microsoft Internet Explorer and Microsoft Office. For more information, refer to How Do Microsoft “Kill Bits” Affect NI ActiveX Components?

Source:
The NI Product Security Team published this advisory.  You may direct questions about this advisory to security 'at' ni.com and find more information about National Instruments product security at http://www.ni.com/security.

Credit:
Andrea Micalizzi, also known as rgod, discovered this vulnerability and reported it through Hewlett Packard’s Zero Day Initiative.

Related Links:

Attachments:





Report Date: 08/24/2013
Last Updated: 11/11/2014
Document ID: 6CN8NEAR

Your Feedback! poor Poor  |  Excellent excellent   Yes No
 Document Quality? 
 Answered Your Question? 
  1 2 3 4 5
Please Contact NI for all product and support inquiries.submit