The NI VeriStand Gateway is missing authorization checks when an actor attempts to access Project and File Transfer resources. These missing checks may result in information disclosure or remote code execution. This affects NI VeriStand 2024 Q2 and prior versions.
The missing authorization checks associated with Project resources is identified as CVE-2024-6806.
The missing authorization checks associated with File Transfer resources is identified as CVE-2024-6805.
NI strongly recommends upgrading the affected software to mitigate this vulnerability. Refer to the Affected Products section for information on upgrading these products.
CVE-2024-6805 – 7.5 - CVSS:3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2024-6806 – 9.8 - CVSS:3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
At NI, we view the security of our products as an important part of our commitment to our customers. Go to ni.com/security to stay informed and act upon security alerts and issues.
NI would like to thank kimiya working with Trend Micro Zero Day Initiative for reporting this issue and working with us on coordinated disclosure.
| Product Version | Mitigation |
|---|---|
| VeriStand 2024 | Upgrade to NI VeriStand 2024 Q3 or later from NI Package Manager or Software Downloads |
| VeriStand 2023 | Upgrade to NI VeriStand 2023 Q4 Patch 1 or later from NI Package Manager or Software Downloads |
| VeriStand 2021 | Upgrade to NI VeriStand 2021 R3 Patch 2 or later from NI Package Manager or Software Downloads |
| VeriStand 2020 and prior | Not in Mainstream Support |