Critical Vulnerabilities in NI VeriStand Expose Industrial Systems to Remote Attacks
National Instruments (NI) has issued a critical security advisory warning users of its widely-used real-time testing software, VeriStand, about two severe vulnerabilities that could allow attackers to execute malicious code on affected systems remotely. These vulnerabilities, identified as CVE-2024-6793 and CVE-2024-6794, carry the highest possible severity score of 9.8 on the Common Vulnerability Scoring System (CVSS).
Deserialization Dangers
The vulnerabilities stem from improper handling of untrusted data during the deserialization process within VeriStand’s DataLogging Server and Waveform Streaming Server components. By sending specially crafted messages, malicious actors can exploit these flaws to execute arbitrary code, potentially gaining full control over the targeted systems.
Widespread Impact
The potential impact of these vulnerabilities is significant, considering the widespread use of NI VeriStand in critical infrastructure sectors such as automotive, aerospace, and energy. A successful attack could disrupt real-time testing operations, compromise sensitive data, and even lead to safety hazards in industries where VeriStand is used for HIL simulation and testing.
Mitigation Measures
NI has released patches for VeriStand 2024 and strongly recommends that users upgrade to the latest version (2024 Q3 or later) to mitigate these vulnerabilities. The company is actively working on patches for VeriStand 2023 and 2021, while versions 2020 and prior are no longer supported.
Users are urged to prioritize applying these updates as soon as possible. While workarounds are not currently available, upgrading to the patched version is the most effective way to protect against exploitation.