Incorrect Default Directory Permissions for NI SystemLink Redis Service

Created Jul 22, 2024

Overview

An incorrect permission in the installation directory for the shared NI SystemLink Server KeyValueDatabase service may result in information disclosure via local access. This affects NI SystemLink Server 2024 Q1 and prior versions. It also affects NI FlexLogger 2023 Q2 and prior versions which installed this shared service.

This vulnerability is identified as CVE-2024-6122.

Mitigation Guidance
Affected Products
CVSS Score
Further Information
Acknowledgements
Additional Resources

Mitigation Guidance

NI strongly recommends upgrading the affected software to fix this vulnerability.  Refer to the Affected Products section to download the update.  If upgrading is not possible, this issue may be mitigated using the following methods.

Using Windows Explorer

Navigate to <ProgramData>\National Instruments\Skyline\
Right-click on the folder KeyValueDatabase and select Properties. 
In the Properties window, go to the Security tab
Click Advanced
Click Change Permissions.
Click Disable inheritance.
When prompted, choose Convert inherited permissions into explicit permissions on this object.
In the “Permission entries” list, select all instances of Users and Authenticated Users and click Remove on each.
Click the OK button
Reboot the server

FlexLogger versions 2023 Q3 and later no longer depend on the NI SystemLink KeyValue Database Service, which includes Redis. To remove Redis from an older FlexLogger system after upgrade:

Open NI Package Manager
Under Settings, check "Show full version numbers and hidden packages"
Click the INSTALLED tab to view all installed packages
Search installed packages for "redis" (press ENTER key after typing in the search field)
Confirm that FlexLogger is NOT included in the list of additional packages that will be removed
Check “NI SystemLink KeyValue Database Service” and press the Remove button

Affected Products

CVSS Score

CVE-2024-6122– 5.5 - CVSS:3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Further Information

At NI, we view the security of our products as an important part of our commitment to our customers. Go to ni.com/security to stay informed and act upon security alerts and issues.

Acknowledgements

NI would like to thank 06fe5fd2bc53027c4a3b7e395af0b850e7b8a044 working with Trend Micro Zero Day Initiative for reporting this issue and working with us on coordinated disclosure.

Additional Resources

CVE-2024-6122 - National Vulnerability Database
CWE-276 – Incorrect Default Permissions

Product Version	Mitigation
SystemLink Server 2024 Q1 and prior versions	Upgrade to SystemLink Server 2024 Q1 Patch 2 or later via NI Package Manager or from Software Downloads
FlexLogger 2023 Q2 and prior versions	If NI SystemLink Server is installed: Upgrade to SystemLink Server 2024 Q1 Patch 2 or later via NI Package Manager or from Software Downloads If NI SystemLink Server is not installed: Upgrade to FlexLogger 2023 Q2 or later via NI Package Manager or from Software Downloads Remove NI SystemLink KeyValue Database Service from your system. See Mitigation Guidance.

Was this information helpful?

Yes

What do you need our team of experts to assist you with?

Request a quote Find the right product Place an order Get support on a product

How can we help?

Please enter your information below and we'll be intouch soon.

This field is required

Preferred communication method

Email Phone call