From Friday, April 19th (11:00 PM CDT) through Saturday, April 20th (2:00 PM CDT), 2024, ni.com will undergo system upgrades that may result in temporary service interruption.
We appreciate your patience as we improve our online experience.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
TDMS C DLL API Dependency on Xerces 3.1.4
HolgerZeinert
Member
03-29-2022 03:26 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report to a Moderator
We use the TDM C DLL (https://www.ni.com/content/dam/web/product-documentation/c_dll_tdm.zip) kit to read and write TDM and TDMS files. We are no longer allowed to install Xerces 3.1.4 DLL because of vulnerabilities listed on https://www.cvedetails.com/product/31348/Apache-Xerces-c.html?vendor_id=45
This is also the case at several US government institutions and has become a critical issue. Is there a plan to upgrade the TDM C DLL kit to the latest version of Xerces 3.2.3, including the recommended fix to disable DTD processing (see https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-31348/year-2019/Apache-Xerces-...)?
l.hovs
Active Participant
09-30-2022 08:23 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report to a Moderator
Hi HolgerZeinert,
The mentioned vulnerability is a denial of service (DOS), and is only applicable to cases where an untrusted source for data is used, as the Xerces library is used in C TDM DLL for parsing the XML data, which are created based on templates in the C TDM DLL/Measurement devices, the data source can be considered trusted.
The only possible attack vector is obtaining access to the used measurement device, and constructing special packets which will only cause the crash of the logging server, which does not make much sense, as having access to the measurement device the attacker can manipulate the measurement data,.
Thus using xerces library in its current form in the C TDM DLL does not imply any security risks.
Regards )
10-04-2022 04:43 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report to a Moderator
Hello,
thanks for taking the time to answer.
Our application reads and writes TDM(S) files to analyze the signals. The users of our application get those files from colleagues, other teams or other companies. There are ways to modify the TDM(S) header while transferring or just provided a modified version to exploit the vulnerability.
I agree that such an attack can mainly cause our software to crash.
Still, some of our users are concerned if a DLL with known vulnerabilities is installed on their system. Their IT would not allow that.
We would appreciate an updated version, but while this is not available, we have now foreseen that our software allows the user to remove the xerces DLL, which will then disable our TDM(S) support altogether.
