Privilege Escalation in NI LabVIEW CLI

Overview

Incorrect default permissions in the installation folder for NI LabVIEW Command Line Interface (CLI) may allow an authenticated user to potentially enable escalation of privilege via local access.  This affects the 2022 Q3 release and all prior versions of the NI LabVIEW CLI software. This vulnerability is identified as CVE-2022-42718.  

Contents

Mitigation Guidance

NI strongly recommends upgrading the affected software to fix against this vulnerability.  Refer to the Affected Products section to download the update.  If upgrading is not possible, this issue may be mitigated using the following methods. 

Using the command line:

  1. Run cmd.exe as an Administrator
  2. Change directory to <Program Files(x86)>\National Instruments\Shared\
  3. Remove Authenticated Users using the following command:
    cacls “LabVIEW CLI” /E /R "NT AUTHORITY\Authenticated Users"

Using Windows Explorer

  1. Navigate to <Program Files(x86)>\National Instruments\Shared\
  2. Right-click on the folder LabVIEW CLI and select Properties
  3. In the Properties window, go to the Security tab
  4. In "Group or user names” section, select Authenticated Users and click on the Edit button
  5. In the Permissions for LabVIEW CLI window >> "Group or user names” section, select Authenticated Users, click Remove, and then click the OK button

Affected Products

Product Version

Mitigation

NI LabVIEW CLI versions prior to 22.3.0*

Install NI LabVIEW CLI version 22.3.1 or later using NI Package Manager or here.

CVSS Score

CVE-2022-42718 – 6.7 - CVSS:3.1 AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Further Information

At NI, we view the security of our products as an important part of our commitment to our customers.  Go to ni.com/security to stay informed and act upon security alerts and issues.

Acknowledgements

NI would like to thank Michael Kenney (@bzyo_) for reporting this issue and working with us on coordinated disclosure.

Additional Resources

Was this information helpful?

Yes

No