Privilege Escalation in NI System Configuration Manager

Overview

There is an improper input validation in NI Configuration Manager versions prior to 22.5 that may allow a privileged user to potentially enable escalation of privilege via local access.  This vulnerability is identified as CVE-2022-35415

 

NI Configuration Manager is installed with many NI drivers and software products.  This vulnerability applies to Windows systems only.  Refer to the Mitigation Guidance section for identifying the version of NI Configuration Manager installed.

 

NI strongly recommends upgrading the affected software to fix against this vulnerability.

 

Contents

Mitigation Guidance

To determine the version of NI Configuration Manager installed:

  1. Navigate to <Program Files(x86)>\National Instruments\MAX\
  2. Right-click on file nimxs.exe and select Properties
  3. In the Properties window, go to the Details tab. Note the version listed as the Product Version.

If the version is prior to 22.5.0f66, refer to the Affected Products table below for what software to download and install to upgrade the affected software.

Affected Products

Product Version

Mitigation

NI Configuration Manager versions prior to 22.5.0*

Install NI Measurement & Automation Explorer using System Configuration 2022 Q3 or later

CVSS Score

CVE-2022-35415 – 7.9 - CVSS:3.1 AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Further Information

At NI, we view the security of our products as an important part of our commitment to our customers.  Go to ni.com/security to stay informed and act upon security alerts and issues.

Acknowledgements

NI would like to thank Michael Kenney (@bzyo_) for reporting this issue and working with us on coordinated disclosure.

Was this information helpful?

Yes

No