Jump to content
szewczak

NI Driver Critical Vunerablity

Recommended Posts

I wanted to cross post metux's discovery here asap, and have a separate discussion.

Metux's original post:

The recent Linux driver package introduces a CRITICAL security vulnerability:

 

http://www.ni.com/download/ni-linux-device-drivers-2018/7664/en/

 

It adds additional yum/zypper repos, but explicitly disabling package signing and using unencrypted HTTP transport. That way, it's pretty trivial to completely takeover the affected systems, by injecting malicious packages.

 

 

DO NOT INSTALL THIS BROKEN SOFTWARE - IT IS DANGEROUS !

 

CERT and BSI are already notified.

 

 

 

 

 

Edited by szewczak

Share this post


Link to post
Share on other sites

As I posted on the ni.com forums but it would be great if people made sure to notify the NI security team first. If they aren't going to fix the issue or are completely unresponsive go nuts but I would at least want to give companies the opportunity to do something first.

http://www.ni.com/support/security/

I sent security@ni.com an email at 4:45 and got a response at 4:46 (not an auto-reply) so, if nothing else, it's clear that they want to hear about these things.

  • Like 2

Share this post


Link to post
Share on other sites

I now regret cross posting this. At the time I understood this was all happening after incommunicado from NI/security. I guess you can't trust everyone on the internet.  

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Similar Content

    • By RMowatt
      I am experiencing numerous VISA Lock Errors (-1073807345) on resources I haven't explicitly locked.  This is happening on TCPIP connections to keysight N6700 power supplies and keysight N5242 PNA fairly regularly.
      I have simultaneous loops in the application communicating to the different instruments, using a sequencer of sorts to pipe commands one at a time to each of my various loops.
      Has anyone seen the locking error pop before while not actually using the Lock and Unlock VIs?  This issue has gotten worse lately and it has come time to find the root cause.  My only thoughts are that it may have something to do with having NI MAX and Keysight Connection Expert both installed and possibly trying to "ping" these devices.  Every once in a while me sending commands and these "pings" may clash and cause the locking error.
      Error reads as follows:
      "Specified type of lock cannot be obtained, or specified operation cannot be performed, because the resource is locked. VISA error code -1073807345 (0xBFFF000F)"
      We are using LabVIEW 2013
      Thanks in advance!
    • By Porter
      View File Plasmionique Modbus Master
      This package contains the Plasmionique Modbus Master library for LabVIEW.
      It supports RTU, ASCII and TCP modes with the following function codes:
      0x01 - Read Coils
      0x02 - Read Discrete Inputs
      0x03 - Read Holding Registers
      0x04 - Read Input Registers
      0x05 - Write Single Coil
      0x06 - Write Single Register
      0x07 - Read Exception Status
      0x0F - Write Multiple Coils
      0x10 - Write Multiple Registers
      0x16 - Mask Write Register
      0x17 - Read/Write Multiple Registers
      0x2B/0x0E - Read Device Identification
      Other features include:
      - Sharing a COM port across multiple Modbus sessions using VISA locks (10 second timeout).
      - Sharing a Modbus session across multiple communication loops.
      - TCP transaction ID handling to ensure that requests and responses are matched up correctly in case responses are received out of order.
      - Modbus Comm Tester, available through the "Tools->Plasmionique" menu, for testing communication with a slave device without writing any code. 
      - Detailed help document available through the "Help->Plasmionique" menu.
      Examples are included in "<LabVIEW>\examples\Plasmionique\MB Master\":
      MB_Master Comm Tester.vi: Demonstrates usage of API to open/close connection and communicate with a Modbus slave device. MB_Master Multiple Sessions.vi: Demonstrates usage of API to open concurrent Modbus sessions. MB_Master Simple Serial.vi: Demonstrates polling of a single input register over serial line. Download a copy of the user guide here: MB_Master - User Guide.pdf
      Note that Version 1.3.4 of this library has been certified compatible with LabVIEW and has been released on the LabVIEW Tools Network: http://sine.ni.com/nips/cds/view/p/lang/en/nid/214230
      The most recent version of this library will always be released on LAVA first before going through NI's certification process.
      ***This project is now available on GitHub: https://github.com/rfporter/Modbus-Master
      Submitter Porter Submitted 04/01/2016 Category LabVIEW Tools Network Certified LabVIEW Version 2012 License Type BSD (Most common)  
    • By Porter
      This package contains the Plasmionique Modbus Master library for LabVIEW.
      It supports RTU, ASCII and TCP modes with the following function codes:
      0x01 - Read Coils
      0x02 - Read Discrete Inputs
      0x03 - Read Holding Registers
      0x04 - Read Input Registers
      0x05 - Write Single Coil
      0x06 - Write Single Register
      0x07 - Read Exception Status
      0x0F - Write Multiple Coils
      0x10 - Write Multiple Registers
      0x16 - Mask Write Register
      0x17 - Read/Write Multiple Registers
      0x2B/0x0E - Read Device Identification
      Other features include:
      - Sharing a COM port across multiple Modbus sessions using VISA locks (10 second timeout).
      - Sharing a Modbus session across multiple communication loops.
      - TCP transaction ID handling to ensure that requests and responses are matched up correctly in case responses are received out of order.
      - Modbus Comm Tester, available through the "Tools->Plasmionique" menu, for testing communication with a slave device without writing any code. 
      - Detailed help document available through the "Help->Plasmionique" menu.
      Examples are included in "<LabVIEW>\examples\Plasmionique\MB Master\":
      MB_Master Comm Tester.vi: Demonstrates usage of API to open/close connection and communicate with a Modbus slave device. MB_Master Multiple Sessions.vi: Demonstrates usage of API to open concurrent Modbus sessions. MB_Master Simple Serial.vi: Demonstrates polling of a single input register over serial line. Download a copy of the user guide here: MB_Master - User Guide.pdf
      Note that Version 1.3.4 of this library has been certified compatible with LabVIEW and has been released on the LabVIEW Tools Network: http://sine.ni.com/nips/cds/view/p/lang/en/nid/214230
      The most recent version of this library will always be released on LAVA first before going through NI's certification process.
      ***This project is now available on GitHub: https://github.com/rfporter/Modbus-Master
    • By Benoit
      Hey guys,
      Can you take a look at this?
      The only work around I found is to dynamically open the connection with an external VI to make it fail so the second time it works.
      If anyone has an instrument that communicate trough TCP-IP with VI, please try on your side with LabVIEW 2018 and visa 18.
      https://forums.ni.com/t5/LabVIEW/VISA-error-with-TCP-IP-BK-precision-2190E/m-p/3876316
      Thanks
    • By PaulL
      Out of the box text in the icon editor looks awful. (See attached image, which is better looking than most.)
      (Yes, even with small fonts: https://forums.ni.com/t5/Linux-Users/Labview-Icons-under-GNOME/gpm-p/3379530.)
      Details:
      LabVIEW 2016 64-bit, CentOS 7 Linux OS
       
      We have tried many things to get this to work, to no avail. 
      Does anyone have a solution?

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.