NI VeriStand Gateway Vulnerability Exposes Critical Systems to Risk
National Instruments (NI) has issued an urgent security advisory regarding a critical vulnerability in its VeriStand Gateway software, a cornerstone of the VeriStand real-time testing and simulation framework. This vulnerability, impacting VeriStand 2024 Q2 and prior versions, could potentially expose sensitive systems to unauthorized access and malicious attacks.
The Vulnerability
The vulnerability stems from missing authorization checks within the VeriStand Gateway, which handles communication between the host computer running VeriStand and the real-time target hardware executing the simulation model. Exploiting this vulnerability, malicious actors could gain unauthorized access to Project and File Transfer resources, leading to:
- Remote Code Execution (CVE-2024-6806): Attackers could potentially execute arbitrary code on the target system, compromising the integrity of the simulation and potentially causing significant harm.
- Information Disclosure (CVE-2024-6805): Sensitive data related to the project or file transfer could be exposed, potentially revealing confidential information or compromising intellectual property.
Severity and Impact
The Common Vulnerability Scoring System (CVSS) rates the vulnerability associated with Project resources (CVE-2024-6806) as 9.8 (Critical), highlighting its potential for severe impact. The vulnerability tied to File Transfer resources (CVE-2024-6805) is rated 7.5 (High), still posing a significant risk.
Who is Affected?
Organizations across various industries, including automotive, aerospace, and energy, rely on NI VeriStand for real-time testing and simulation of critical systems. Any deployment of VeriStand 2024 Q2 or prior versions could be vulnerable to this exploit.
Mitigation and Recommendations
NI strongly urges all users to immediately upgrade their VeriStand software to the latest version (2024 Q3 or later), which contains the necessary security patches. Users of older versions (VeriStand 2023 and 2021) should remain vigilant and consider upgrading as soon as patches become available.
For additional information and support, please contact NI technical support or refer to the official security advisory.
