Improper Input Validation in NI-PAL

Aperçu

Improper input validation in NI-PAL may allow a privileged user to potentially enable escalation of privilege via local access.  NI-PAL is installed with many NI products. Versions of NI-PAL 20.0.0 and prior are affected. This vulnerability is described in CVE-2021-38304.

 

NI strongly recommends that users upgrade or install the patch. 

Contents

Mitigation Guidance

To determine the version of NI-PAL installed, follow the instructions for your operating system:

Windows:

  1. Navigate to %WinDir%\system32\drivers folder
  2. Find the file nipalk.sys, right-click on the file, and select Properties.  In the Properties window, go to the Details tab. There you will find information about the Product Version.

Linux:
Option 1:

  • Use your distribution’s package manager to view the version of the ni-pal package

Option 2:

  • Execute the following command to report the version of the loaded NI-PAL kernel module:
    dkms status | grep nipalk

Mac:

  1. Open the System Information utility
  2. Expand Software/Extensions in the left-hand pane
  3. Locate the nipalk extension in the list to view the version

Versions 20.0.0 and prior are affected and users should install the patches as described below.

Affected Products

Product Version

Mitigation

Windows

See Downloads section for 20.0.1f0 patch

Mac

Upgrade NI-VISA or NI GPIB to version 21.0 or later

Linux

Upgrade to 21.0 or later versions of any driver

CVSS Score

CVE-2021-38304 - 8.2 - CVSS:3.1/ AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Acknowledgements

NI would like to thank Michael Kenney (@bzyo_) for reporting this issue.

Further Information

At NI, we view the security of our products as an important part of our commitment to our customers.  Go to ni.com/security to stay informed and act upon security alerts and issues.

Additional Resources