lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 18 Jul 2018 17:47:31 +0200
From: "Enrico Weigelt, metux IT consult" <info@...ux.net>
To: Fulldisclosure@...lists.org
Subject: [FD] CIRITICAL code injection vulnerability in National Instruments
 Linux driver package

Hello folks,

i've recently discovered a critical vulnerability in the National
Instruments Linux driver package, which opens up an remote code
injection (software update) vulnerability.


Classification:

  CRITICAL / 0day - easily exploitable


Impact:

  Complete takeover of the OS itself
  Takeover of (potentially critical) industrial machinery


Affected product(s):

  NI Linux Device Drivers / July 2018
  http://www.ni.com/download/ni-linux-device-drivers-2018/7664/en/


Affected platforms(s):

  GNU/Linux - RHEL, SLES (other distros aren't supported anyways)


Vulnerability:

  The product adds additional package repositories to the OS'es package
  manager, but disables signature checks and uses plain (unencrypted)
  HTTP for software downloads.

  Further details can be easily seen in the deployed package repository
  configuration file (ni-software-2018.repo).


Attack vectors:

  The victim can be tricked to download/install manipulated updates, eg.
  via MITM, dns spoofing, etc - so the attacker can abuse software
  updates for direct malware deployment and also take over the whole
  operating system (eg. kernel) itself.


Mitigation:

  #1: remove the package 'ni-software-2018'
  #2: make sure, the repo description files are removed:

    SLES:
    /etc/zypp/repos.d/ni-software-2018.repo
    /etc/zypp/vendors.d/ni.conf

    RHEL:
    /etc/yum/repos.d/ni-software-2018.repo

  #3: refresh the package manager index

  This removes the NI repository from the OS'es package manager - the NI
  software now can't be automatically installed/updated via package
  manager anymore.

  In case the operator still trusts the vendor enough to deploy it's
  software, this now has to be done manually (note: the packages can
  only be downloaded via insecure plain HTTP !). It's strongly adviced
  not to install any software from untrusted sources / via untrusted
  channels.

  If an system update (even a minor patch) via package manager was done
  in the meantime, it's *highly* adviced to carefully check all
  installed packages against the original repositories - the system
  easily could be compromised by now !


Solution:

  The vendor (NI) needs to setup proper package signing infrastructure,
  add it's public key to the repo configuration and enable gpgcheck.


Final notes:

  Since NI is one of few vendors with special certifications, eg. ATEX,
  railway, etc, it's likely this hardware can be found in very critical
  infrastructure (eg. power plants, factories, etc) and those
  potentially could already be compromised by now via driver update.


About the author:

  GNU/Linux veteran with strong background in software engineering,
  embedded systems, industrial automation, IT infrastructure.

  email: info@...ux.net
  phone: +49-151-27565287


-- 
Enrico Weigelt, metux IT consult
Free software and Linux embedded engineering
info@...ux.net -- +49-151-27565287

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ