A stack-based buffer overflow vulnerability exists in NI System Configuration that could result in information disclosure and/or arbitrary code execution. Successful exploitation requires that an attacker can provide a specially crafted response. This affects NI System Configuration 2023 Q3 and all previous versions. This vulnerability is identified as CVE-2023-4601.
This vulnerability applies to Windows systems only. NI System Configuration Runtime, which includes the issue, is installed with many NI drivers and software products. Refer to the Mitigation Guidance section for identifying if mxRmCfg.dll is installed and the version.
NI strongly recommends upgrading the affected software to fix against this vulnerability.
To determine the version of NI System Configuration installed:
If the version is prior to 23.8, refer to the Affected Products table below for what software to download and install to upgrade the affected software.
| Product Version | Mitigation |
|---|---|
| NI System Configuration versions 2023 Q3 (23.5.*) and prior | Install NI System Configuration 2023 Q4 or later |
CVE-2023-4601 – 8.1 - CVSS:3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
At NI, we view the security of our products as an important part of our commitment to our customers. Go to ni.com/security to stay informed and act upon security alerts and issues.
This issue was reported by Anonymous working with Trend Micro Zero Day Initiative. NI would like to thank Zero Day Initiative for reporting this issue and working with us on coordinated disclosure.