A stack-based buffer overflow vulnerability due to a missing bounds check in the NI I/O Trace Tool may result in arbitrary code execution. Successful exploitation requires an attacker to provide a user with a specially crafted nitrace file. This vulnerability affects NI I/O Trace Tool 24.3 and prior versions.
This vulnerability is identified as CVE-2024-5602.
The NI I/O Trace tool is installed as part of the NI System Configuration utilities included with many NI software products. Refer to the Mitigation Guidance section for identifying the version of NI IO Trace.exe installed. This vulnerability applies only to Windows systems.
The NI I/O Trace tool was also previously released as NI Spy.
NI strongly recommends upgrading the affected software to fix against this vulnerability.
To determine the version of NI System Configuration installed:
If the version is prior to 24.5, refer to the Affected Products table below for what software to download and install to upgrade the affected software.
CVE-2024-5602– 7.8 - CVSS:3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
At NI, we view the security of our products as an important part of our commitment to our customers. Go to ni.com/security to stay informed and act upon security alerts and issues.
NI would like to thank Michael Heinzl working with CISA for reporting this issue and working with us on coordinated disclosure.
| Product Version | Mitigation |
|---|---|
| NI I/O Trace 24.3 and prior | Install NI System Configuration 2024 Q3 or later from NI Package Manager or Software Downloads |