Linux Users

Highlighted

CRITICAL VULNERABILITY in new Linux driver package

The recent Linux driver package introduces a CRITICAL security vulnerability:

 

http://www.ni.com/download/ni-linux-device-drivers-2018/7664/en/

 

It adds additional yum/zypper repos, but explicitly disabling package signing and using unencrypted HTTP transport. That way, it's pretty trivial to completely take over the affected systems, by injecting malicious packages.

 

DO NOT INSTALL THIS BROKEN SOFTWARE - IT IS DANGEROUS !

 

CERT and BSI are already notified.

Linux Embedded / Kernel Hacker / BSP / Driver development / Systems engineering
0 Kudos
Message 1 of 8
(1,335 Views)
7 REPLIES 7

Re: CRITICAL VULNERABILITY in new Linux driver package

Have you notified our security team about this vulnerability already? I will send them an email but won't be much help if they have other follow up questions.

 

http://www.ni.com/support/security/

 

We encourage you to report security vulnerabilities to us privately so that we can follow a coordinated disclosure process, allowing us time to thoroughly investigate security issues and publicly disclose them when appropriate.

 

To report security issues in our products or on ni.com, email security@ni.com with sufficient details about how to reproduce the issue. You may use the NI PGP key to encrypt any sensitive communications you send to us. When you notify us of a potential security issue, our remediation process includes acknowledging receipt and coordinating any necessary response activities with you.

 

For all other support issues, use one of our technical support contact methods.

Email security@ni.com


 

Matt J
National Instruments | CLA
0 Kudos
Message 2 of 8
(1,265 Views)

Re: CRITICAL VULNERABILITY in new Linux driver package


@Jacobson wrote:

Have you notified our security team about this vulnerability already? I will send them an email but won't be much help if they have other follow up questions.

 

http://www.ni.com/support/security/ 

Thanks for the link. Yesterday, I tried to find some official contact or bug tracker, but that wasn't easy to find, so I gave up.

 

All I've found was a support form that requires an paid subscription. Obviously, I won't pay them a single penny just for bein able to report a critical vulnerability - actually they should be me for telling them what they again did to terribly wrong Smiley Tongue 

 

In recent years, NI didn't show much reactions on bugs or design errors in the linux drivers (actually, their whole concept is completely wrong to begin with), and their general attitude towards FOSS is pretty hostile, so I don't expect any appropriate reaction anytime soon.

 

Instead I've notified several security institutions (eg. CERT, BSI) and various tech magazines in the field of industrial automation.

Linux Embedded / Kernel Hacker / BSP / Driver development / Systems engineering
0 Kudos
Message 3 of 8
(1,230 Views)

Re: CRITICAL VULNERABILITY in new Linux driver package


@metux

Instead I've notified several security institutions (eg. CERT, BSI)

Did CERT assign a CVE ID?  I'd like to read the announcement.  Thanks!

Message 4 of 8
(1,201 Views)

Re: CRITICAL VULNERABILITY in new Linux driver package


@GabeJ wrote:

@metux

Instead I've notified several security institutions (eg. CERT, BSI)

Did CERT assign a CVE ID?  I'd like to read the announcement.  Thanks!


Not yet (just an automatic ticket number: VU#398753). Maybe they're a bit overloaded.

 

 

CERT-BUND (german goverment institution) is tracking it as ticket #CERT-Bund#2018071828000968. Had a longer talk yesterday - they'll investigate whether NI products are used in critical infrastructure (eg. power plants, chemical plants, etc) and will notify plant operators through their channels.

 

Here's my yesterday's report to fulldisclosure list:

Hello folks,

i've recently discovered a critical vulnerability in the National
Instruments Linux driver package, which opens up an remote code
injection (software update) vulnerability.


Classification:

  CRITICAL / 0day - easily exploitable


Impact:

  Complete takeover of the OS itself
  Takeover of (potentially critical) industrial machinery


Affected product(s):

  NI Linux Device Drivers / July 2018
  http://www.ni.com/download/ni-linux-device-drivers-2018/7664/en/


Affected platforms(s):

  GNU/Linux - RHEL, SLES (other distros aren't supported anyways)


Vulnerability:

  The product adds additional package repositories to the OS'es package
  manager, but disables signature checks and uses plain (unencrypted)
  HTTP for software downloads.

  Further details can be easily seen in the deployed package repository
  configuration file (ni-software-2018.repo).


Attack vectors:

  The victim can be tricked to download/install manipulated updates, eg.
  via MITM, dns spoofing, etc - so the attacker can abuse software
  updates for direct malware deployment and also take over the whole
  operating system (eg. kernel) itself.


Mitigation:

  #1: remove the package 'ni-software-2018'
  #2: make sure, the repo description files are removed:

    SLES:
    /etc/zypp/repos.d/ni-software-2018.repo
    /etc/zypp/vendors.d/ni.conf

    RHEL:
    /etc/yum/repos.d/ni-software-2018.repo

  #3: refresh the package manager index

  This removes the NI repository from the OS'es package manager - the NI
  software now can't be automatically installed/updated via package
  manager anymore.

  In case the operator still trusts the vendor enough to deploy it's
  software, this now has to be done manually (note: the packages can
  only be downloaded via insecure plain HTTP !). It's strongly adviced
  not to install any software from untrusted sources / via untrusted
  channels.

  If an system update (even a minor patch) via package manager was done
  in the meantime, it's *highly* adviced to carefully check all
  installed packages against the original repositories - the system
  easily could be compromised by now !


Solution:

  The vendor (NI) needs to setup proper package signing infrastructure,
  add it's public key to the repo configuration and enable gpgcheck.


Final notes:

  Since NI is one of few vendors with special certifications, eg. ATEX,
  railway, etc, it's likely this hardware can be found in very critical
  infrastructure (eg. power plants, factories, etc) and those
  potentially could already be compromised by now via driver update.


About the author:

  GNU/Linux veteran with strong background in software engineering,
  embedded systems, industrial automation, IT infrastructure.

  email: info@metux.net
  phone: +49-151-27565287

 

Linux Embedded / Kernel Hacker / BSP / Driver development / Systems engineering
0 Kudos
Message 5 of 8
(1,087 Views)

Re: CRITICAL VULNERABILITY in new Linux driver package

Hi @metux,

can you give me details about how you searched for a proper contact information for reporting these kind of issues?

I tested it with google some minutes before and the simple "ni linux security" and the fifth link point to the security site https://www.ni.com/support/security/d/

 

If you could give us some details about how you started you search, I ´ll give this feedback to our web team so that we can try to improve the accessibility of this subsite.

 

Thanks.

 

Stefan Kissel

Senior Applications Engineer Specialist

 

 

0 Kudos
Message 6 of 8
(996 Views)

Re: CRITICAL VULNERABILITY in new Linux driver package


SK@NIG

can you give me details about how you searched for a proper contact information for reporting these kind of issues? 


Just looking through the website.

Linux Embedded / Kernel Hacker / BSP / Driver development / Systems engineering
0 Kudos
Message 7 of 8
(980 Views)

Re: CRITICAL VULNERABILITY in new Linux driver package

ni-stox.png

Linux Embedded / Kernel Hacker / BSP / Driver development / Systems engineering
0 Kudos
Message 8 of 8
(953 Views)
Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.