Improper Input Validation in NI-PAL

Overview

Improper input validation in NI-PAL may allow a privileged user to potentially enable escalation of privilege via local access. This vulnerability is described in CVE-2021-38304.

 

Many NI drivers include NI-PAL and are affected by these vulnerabilities. Refer to the Mitigation Guidance section for identifying the version of NI-PAL installed and how to upgrade or install the patch. 

 

NI strongly recommends that you upgrade or install the patch. 

Contents

Mitigation Guidance

NI-PAL is a common component in many NI drivers. You only need to upgrade one NI driver that includes this component, or install the patch once per machine. The patch is backwards compatible with previous versions of NI software.

This vulnerability affects NI-PAL versions earlier than 20.0.1f0. To determine the version of NI-PAL installed, follow the instructions for your operating system.

Windows

Identify Installed NI-PAL Version

  1. Navigate to %WinDir%\system32\drivers folder.
  2. Find the file nipalk.sys. Right-click on the file, and select Properties.  
  3. In the Properties window, navigate to the Details tab. Note the version listed in the Product Version field.
  4. If the NI-PAL version is earlier than 20.0.1f0, continue below to install the patch for Windows.

Install Patch for Windows

  1. Download the ni-security-update-cve-2021-38304_20.0.1_offline.zip file from the Downloads section of this page.
  2. Extract the .iso file from the .zip file.
  3. (Optional) Compare the MD5 hash of the extracted .iso file to the published hash.
  4. Distribute the .iso file to the Windows machine where you will install the patch.
  5. Mount the .iso file.
  6. Run the installer to install the patch.

Linux

Identify Installed NI-PAL Version

  • Use your distribution’s package manager to view the version of the ni-pal package
    OR
  • Execute the following command to report the version of the loaded NI-PAL kernel module:
    dkms status | grep nipalk

If the NI-PAL version is earlier than 20.0.1f0, continue below to upgrade the NI driver version.

Upgrade for Linux

  1. Download Linux Device Drivers 2021 Q3 or later.
  2. Upgrade any NI driver to version 21.0 or later

MacOS

Identify Installed NI-PAL Version

  1. Open the System Information utility.
  2. Expand Software/Extensions in the left-hand pane.
  3. Locate the nipalk extension in the list to view the version.
  4. If the NI-PAL version is earlier than 20.0.1f0, continue below to upgrade the NI-VISA or NI-488.2 driver version.

Upgrade for MacOS

NI-VISA and NI-488.2 are the only drivers affected by this vulnerability on MacOS. Since NI-PAL is shared component, you only need to upgrade one of the drivers to version 21.0 or later.

Affected Products

Product Version

Mitigation

NI-PAL 20.0.0f* and earlier

Windows
Download 20.0.1f0 patch
(See Downloads section)
Linux
Upgrade any NI driver version to 21.0 or later 
MacOS
Upgrade NI-VISA or NI GPIB to version 21.0 or later

CVSS Score

CVE-2021-38304 - 8.2 - CVSS:3.1/ AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Acknowledgements

NI would like to thank Michael Kenney (@bzyo_) for reporting this issue.

Further Information

At NI, we view the security of our products as an important part of our commitment to our customers.  Go to ni.com/security to stay informed and act upon security alerts and issues.

Additional Resources