szewczak 0 Report post Posted July 17, 2018 (edited) I wanted to cross post metux's discovery here asap, and have a separate discussion. Metux's original post: The recent Linux driver package introduces a CRITICAL security vulnerability: http://www.ni.com/download/ni-linux-device-drivers-2018/7664/en/ It adds additional yum/zypper repos, but explicitly disabling package signing and using unencrypted HTTP transport. That way, it's pretty trivial to completely takeover the affected systems, by injecting malicious packages. DO NOT INSTALL THIS BROKEN SOFTWARE - IT IS DANGEROUS ! CERT and BSI are already notified. Edited July 17, 2018 by szewczak Quote Share this post Link to post Share on other sites
ShaunR 833 Report post Posted July 17, 2018 A bit of light background reading. Quote Share this post Link to post Share on other sites
jacobson 31 Report post Posted July 17, 2018 As I posted on the ni.com forums but it would be great if people made sure to notify the NI security team first. If they aren't going to fix the issue or are completely unresponsive go nuts but I would at least want to give companies the opportunity to do something first. http://www.ni.com/support/security/ I sent security@ni.com an email at 4:45 and got a response at 4:46 (not an auto-reply) so, if nothing else, it's clear that they want to hear about these things. 2 Quote Share this post Link to post Share on other sites
szewczak 0 Report post Posted August 2, 2018 I now regret cross posting this. At the time I understood this was all happening after incommunicado from NI/security. I guess you can't trust everyone on the internet. Quote Share this post Link to post Share on other sites
infinitenothing 48 Report post Posted August 2, 2018 Does this only affect users that get updates from the repositories? because that seems like a fairly small minority. Quote Share this post Link to post Share on other sites
