Improper Restriction in NI MeasurementLink Python Services

Created Oct 4, 2023

Overview

An improper access restriction in NI MeasurementLink Python services could allow an attacker on an adjacent network to reach services exposed on localhost. These services were previously thought to be unreachable outside of the node. This affects measurement plug-ins written in Python using version 1.1.0 of the ni-measurementlink-service Python package and all previous versions. This vulnerability is identified as CVE-2023-4570.

Mitigation Guidance
Affected Products
CVSS Score
Further Information
Acknowledgements
Additional Resources

Mitigation Guidance

NI strongly recommends upgrading the affected software. Refer to the Affected Products section for information on which components to upgrade.

To upgrade the ni-measurementlink-service Python package:

Terminate all measurement service processes.
- To terminate statically registered measurement services, open Task Manager, select the Details tab, find the NationalInstruments.MeasurementLink.DiscoveryService.exe process, and select End task.
- If you have manually launched any measurement services, terminate those as well.
Upgrade ni-measurementlink-service for each measurement plug-in project.
- If the project has version constraints in a pyproject.toml or requirements.txt file, update the file to require ni-measurementlink-service version 1.1.1 or later.
- If the project has a dependency lock file, update it. For example, if you are using the Poetry tool to manage your projects, run the poetry lock command.
- Commit the updated files to version control, if applicable.
- Upgrade or delete/re-create all virtual environments associated with the project. For example, if you are using Poetry, run the poetry install command to install the updated dependencies into the project’s virtual environment.
- If you use PyInstaller to build EXEs for your measurement plug-ins, rebuild them.
Reinstall the updated measurement plug-ins to the MeasurementLink static registration directory (C:\ProgramData\National Instruments\MeasurementLink\Services).

You can confirm that the upgrade was applied by running your measurements and then checking the MeasurementLink log files located in C:\ProgramData\National Instruments\MeasurementLink\Logs.

Affected versions of ni-measurementlink-service log the message “Measurement service hosted on port: nnnnn", where nnnnn is a placeholder for the TCP port number.
Fixed versions of ni-measurementlink-service log the message “Measurement service listening on: http://[::1]:nnnnn”, where nnnnn is a placeholder for the TCP port number.

Affected Products

Product Version	Mitigation
NI MeasurementLink with Python measurement plug-ins using ni-measurementlink-service version 1.0.0, 1.0.1, or 1.1.0	Upgrade all Python measurement plug-ins to use ni-measurementlink-service version 1.1.1 or later

CVSS Score

CVE-2023-4570 – 8.8 - CVSS:3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Further Information

At NI, we view the security of our products as an important part of our commitment to our customers. Go to ni.com/security to stay informed and act upon security alerts and issues.

Acknowledgements

None.

Additional Resources

External Link: CVE-2023-4570 - National Vulnerability Database
External Link: CWE-420

Was this information helpful?

Yes

What do you need our team of experts to assist you with?

Request a quote Find the right product Place an order Get support on a product

How can we help?

Please enter your information below and we'll be intouch soon.

This field is required

Preferred communication method

Email Phone call