NI Driver Critical Vunerablity

[szewczak]

I wanted to cross post metux's discovery here asap, and have a separate discussion.

Metux's original post:

The recent Linux driver package introduces a CRITICAL security vulnerability:

 

http://www.ni.com/download/ni-linux-device-drivers-2018/7664/en/

 

It adds additional yum/zypper repos, but explicitly disabling package signing and using unencrypted HTTP transport. That way, it's pretty trivial to completely takeover the affected systems, by injecting malicious packages.

 

 

DO NOT INSTALL THIS BROKEN SOFTWARE - IT IS DANGEROUS !

 

CERT and BSI are already notified.

 

 

 

 

 

Edited July 17, 2018 by szewczak

[ShaunR]

A bit of light background reading.

[jacobson]

As I posted on the ni.com forums but it would be great if people made sure to notify the NI security team first. If they aren't going to fix the issue or are completely unresponsive go nuts but I would at least want to give companies the opportunity to do something first.

http://www.ni.com/support/security/

I sent security@ni.com an email at 4:45 and got a response at 4:46 (not an auto-reply) so, if nothing else, it's clear that they want to hear about these things.

[szewczak]

I now regret cross posting this. At the time I understood this was all happening after incommunicado from NI/security. I guess you can't trust everyone on the internet.  

[infinitenothing]

Does this only affect users that get updates from the repositories? because that seems like a fairly small minority.