cve-2024-5602
Vulnerability from cvelistv5
Published
2024-07-23 13:15
Modified
2024-08-01 21:18
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
A stack-based buffer overflow vulnerability due to a missing bounds check in the NI I/O Trace Tool may result in arbitrary code execution. Successful exploitation requires an attacker to provide a user with a specially crafted nitrace file. The NI I/O Trace tool is installed as part of the NI System Configuration utilities included with many NI software products.  Refer to the NI Security Advisory for identifying the version of NI IO Trace.exe installed. The NI I/O Trace tool was also previously released as NI Spy.
References
security@ni.comhttps://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/stack-based-buffer-overflow-vulnerability-in-ni-io-trace-tool.html
af854a3a-2127-422b-91ae-364da2661108https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/stack-based-buffer-overflow-vulnerability-in-ni-io-trace-tool.html
Impacted products
Vendor Product Version
NI IO Trace Tool Version: 0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:ni:system_configuration:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unaffected",
            "product": "system_configuration",
            "vendor": "ni",
            "versions": [
              {
                "lessThanOrEqual": "24.3",
                "status": "affected",
                "version": "0",
                "versionType": "semver"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-5602",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-23T14:06:24.315632Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-23T14:11:46.604Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T21:18:06.360Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/stack-based-buffer-overflow-vulnerability-in-ni-io-trace-tool.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "IO Trace Tool",
          "vendor": "NI",
          "versions": [
            {
              "lessThanOrEqual": "24.3",
              "status": "affected",
              "version": "0",
              "versionType": "server"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Michael Heinzl working with CISA"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA stack-based buffer overflow vulnerability due to a missing bounds check in the NI I/O Trace Tool may result in arbitrary code execution.  Successful exploitation requires an attacker to provide a user with a specially crafted nitrace file.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e\u003cp\u003eThe NI I/O Trace tool is installed as part of the NI System Configuration utilities included with many NI software products.\u202f Refer to the NI Security Advisory for identifying the version of NI IO Trace.exe installed. The NI I/O Trace tool was also previously released as NI Spy.\u202f\u0026nbsp; \u003c/p\u003e\u003cbr\u003e"
            }
          ],
          "value": "A stack-based buffer overflow vulnerability due to a missing bounds check in the NI I/O Trace Tool may result in arbitrary code execution.  Successful exploitation requires an attacker to provide a user with a specially crafted nitrace file.\n\nThe NI I/O Trace tool is installed as part of the NI System Configuration utilities included with many NI software products.\u202f Refer to the NI Security Advisory for identifying the version of NI IO Trace.exe installed. The NI I/O Trace tool was also previously released as NI Spy."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-100",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-100 Overflow Buffers"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121 Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-23T13:15:50.508Z",
        "orgId": "bca5b2e8-03a4-4781-b4ca-c6a078c0bfd4",
        "shortName": "NI"
      },
      "references": [
        {
          "url": "https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/stack-based-buffer-overflow-vulnerability-in-ni-io-trace-tool.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Stack-based Buffer Overflow Vulnerability in NI I/O Trace Tool",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bca5b2e8-03a4-4781-b4ca-c6a078c0bfd4",
    "assignerShortName": "NI",
    "cveId": "CVE-2024-5602",
    "datePublished": "2024-07-23T13:15:50.508Z",
    "dateReserved": "2024-06-03T18:30:25.158Z",
    "dateUpdated": "2024-08-01T21:18:06.360Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A stack-based buffer overflow vulnerability due to a missing bounds check in the NI I/O Trace Tool may result in arbitrary code execution.  Successful exploitation requires an attacker to provide a user with a specially crafted nitrace file.\\n\\nThe NI I/O Trace tool is installed as part of the NI System Configuration utilities included with many NI software products.\\u202f Refer to the NI Security Advisory for identifying the version of NI IO Trace.exe installed. The NI I/O Trace tool was also previously released as NI Spy.\"}, {\"lang\": \"es\", \"value\": \"Una vulnerabilidad de desbordamiento de b\\u00fafer en la regi\\u00f3n stack de la memoria debido a una verificaci\\u00f3n de l\\u00edmites faltantes en NI I/O Trace Tool puede resultar en la ejecuci\\u00f3n de c\\u00f3digo arbitrario. La explotaci\\u00f3n exitosa requiere que un atacante proporcione al usuario un archivo nitrace especialmente manipulado. La herramienta NI I/O Trace se instala como parte de las utilidades de configuraci\\u00f3n del sistema NI incluidas con muchos productos de software de NI. Consulte el Aviso de seguridad de NI para identificar la versi\\u00f3n de NI IO Trace.exe instalada. La herramienta NI I/O Trace tambi\\u00e9n se lanz\\u00f3 anteriormente como NI Spy.\"}]",
      "id": "CVE-2024-5602",
      "lastModified": "2024-11-21T09:48:00.070",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security@ni.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 7.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.9}]}",
      "published": "2024-07-23T14:15:15.077",
      "references": "[{\"url\": \"https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/stack-based-buffer-overflow-vulnerability-in-ni-io-trace-tool.html\", \"source\": \"security@ni.com\"}, {\"url\": \"https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/stack-based-buffer-overflow-vulnerability-in-ni-io-trace-tool.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "security@ni.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security@ni.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-121\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-5602\",\"sourceIdentifier\":\"security@ni.com\",\"published\":\"2024-07-23T14:15:15.077\",\"lastModified\":\"2024-11-21T09:48:00.070\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A stack-based buffer overflow vulnerability due to a missing bounds check in the NI I/O Trace Tool may result in arbitrary code execution.  Successful exploitation requires an attacker to provide a user with a specially crafted nitrace file.\\n\\nThe NI I/O Trace tool is installed as part of the NI System Configuration utilities included with many NI software products.\u202f Refer to the NI Security Advisory for identifying the version of NI IO Trace.exe installed. The NI I/O Trace tool was also previously released as NI Spy.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de desbordamiento de b\u00fafer en la regi\u00f3n stack de la memoria debido a una verificaci\u00f3n de l\u00edmites faltantes en NI I/O Trace Tool puede resultar en la ejecuci\u00f3n de c\u00f3digo arbitrario. La explotaci\u00f3n exitosa requiere que un atacante proporcione al usuario un archivo nitrace especialmente manipulado. La herramienta NI I/O Trace se instala como parte de las utilidades de configuraci\u00f3n del sistema NI incluidas con muchos productos de software de NI. Consulte el Aviso de seguridad de NI para identificar la versi\u00f3n de NI IO Trace.exe instalada. La herramienta NI I/O Trace tambi\u00e9n se lanz\u00f3 anteriormente como NI Spy.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@ni.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@ni.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-121\"}]}],\"references\":[{\"url\":\"https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/stack-based-buffer-overflow-vulnerability-in-ni-io-trace-tool.html\",\"source\":\"security@ni.com\"},{\"url\":\"https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/stack-based-buffer-overflow-vulnerability-in-ni-io-trace-tool.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/stack-based-buffer-overflow-vulnerability-in-ni-io-trace-tool.html\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T21:18:06.360Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-5602\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-23T14:06:24.315632Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:ni:system_configuration:*:*:*:*:*:*:*:*\"], \"vendor\": \"ni\", \"product\": \"system_configuration\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"24.3\"}], \"defaultStatus\": \"unaffected\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-23T14:11:41.501Z\"}}], \"cna\": {\"title\": \"Stack-based Buffer Overflow Vulnerability in NI I/O Trace Tool\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Michael Heinzl working with CISA\"}], \"impacts\": [{\"capecId\": \"CAPEC-100\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-100 Overflow Buffers\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"NI\", \"product\": \"IO Trace Tool\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"server\", \"lessThanOrEqual\": \"24.3\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/stack-based-buffer-overflow-vulnerability-in-ni-io-trace-tool.html\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A stack-based buffer overflow vulnerability due to a missing bounds check in the NI I/O Trace Tool may result in arbitrary code execution.  Successful exploitation requires an attacker to provide a user with a specially crafted nitrace file.\\n\\nThe NI I/O Trace tool is installed as part of the NI System Configuration utilities included with many NI software products.\\u202f Refer to the NI Security Advisory for identifying the version of NI IO Trace.exe installed. The NI I/O Trace tool was also previously released as NI Spy.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eA stack-based buffer overflow vulnerability due to a missing bounds check in the NI I/O Trace Tool may result in arbitrary code execution.  Successful exploitation requires an attacker to provide a user with a specially crafted nitrace file.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e\u003cp\u003eThe NI I/O Trace tool is installed as part of the NI System Configuration utilities included with many NI software products.\\u202f Refer to the NI Security Advisory for identifying the version of NI IO Trace.exe installed. The NI I/O Trace tool was also previously released as NI Spy.\\u202f\u0026nbsp; \u003c/p\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-121\", \"description\": \"CWE-121 Stack-based Buffer Overflow\"}]}], \"providerMetadata\": {\"orgId\": \"bca5b2e8-03a4-4781-b4ca-c6a078c0bfd4\", \"shortName\": \"NI\", \"dateUpdated\": \"2024-07-23T13:15:50.508Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-5602\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-01T21:18:06.360Z\", \"dateReserved\": \"2024-06-03T18:30:25.158Z\", \"assignerOrgId\": \"bca5b2e8-03a4-4781-b4ca-c6a078c0bfd4\", \"datePublished\": \"2024-07-23T13:15:50.508Z\", \"assignerShortName\": \"NI\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.