Cross-Site Scripting Vulnerability in NI Web Server Component

Visão geral

NI has discovered a reflected cross-site scripting (XSS) vulnerability in a NI Web Server component installed with several NI products.  An attacker could exploit this vulnerability by getting a user to open a specially crafted URL which executes arbitrary JavaScript code.  Refer to the table below for a list of affected NI products.

This vulnerability is designated as CVE-2022-27237.  

Contents

Mitigation Guidance

NI recommends that users upgrade the affected software products to fix against this issue.  Refer to the Affected Products section below.   

Workarounds

NI strongly recommends updating the affected products; however, if updating is not possible, the following workarounds can be used as a temporary measure.

Systems with the affected products are only vulnerable to this issue if the NI Web Server is enabled. If the system does not require the NI Web Server, it can be disabled through the NI Web Server Configuration application.

  1. Open the NI Web Server Configuration application. 

• If the NI Web Server wasn’t previously enabled, you will see an NI Web Server Guided Setup screen upon launching the application, and no further action is required. Otherwise, continue with the steps to disable the NI Web Server.

  1. Select the Control tab
  2. Select the Disable the web server option
  3. Click the Apply button. The Web Server is now disabled.

If the NI Web Server is required for your system, the following file should be modified:  

  1. Navigate to <Program Files>\National Instruments\Shared\Web Server\htdocs\login\
  2. Open the file redirect.shtml using a text editor. 

Note:  If this file does not exist, your system is not susceptible to the vulnerability. No further action is required.

  1.  Replace the contents of the file with the following:

<script>
    var authRedirectUri = '<!--#echo encoding=base64 var=AUTH_REDIR_URI -->';
    var redirect = `${window.location.origin}/#login?external=${atob(authRedirectUri)}`;
    window.location.href = redirect;
</script>
>

Affected Products

Product Version

Mitigation

SystemLink 2020 R4 (20.6)
SystemLink 2021 R1 (21.0)
SystemLink 2021 R2 (21.1)

Install SystemLink version 2021 R3 or later

FlexLogger 2021 R2
FlexLogger 2021 R3
FlexLogger 2021 R4
 

Install FlexLogger 2022 Q2 or later

LabVIEW 2021

Install LabVIEW 2021 SP1

LabVIEW 2021 Community Edition

Install LabVIEW 2021 SP1 Community

G Web Development Software 2021

Install G Web Development 2022 Q1 or later

G Web Development Software 2021 - Community Edition

Install G Web Development 2022 Q1 Community or later

Static Test Software Suite 1.1

Install Static Test Software Suite version 1.2 or later

CVSS Score

CVE-2022-27237 - 8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Further Information

At NI, we view the security of our products as an important part of our commitment to our customers.  Go to ni.com/security to stay informed and act upon security alerts and issues.

Was this information helpful?

Yes

No