CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-6806

CVSS 9.8v3.1pub. 2024-07-22upd. 2024-11-21

The NI VeriStand Gateway is missing authorization checks when an actor attempts to access Project resources. These missing checks may result in remote code execution. This affects NI VeriStand 2024 Q2 and prior versions.

🤖 AI Analysis
How it works

The NI VeriStand Gateway component skips authorization verification (CWE-862 — Missing Authorization) when attempting to access project resources. An unauthenticated network attacker can send specially crafted requests to the Gateway, gaining access to protected project resources. The absence of these authorization controls can be directly exploited to execute code remotely on the target system.

Impact

An attacker can remotely execute arbitrary code on a system running NI VeriStand Gateway without requiring any permissions, leading to complete system takeover and loss of confidentiality, integrity, and availability of data.

Mitigation & patch

Apply patches available from the vendor according to references. Detailed information about available updates can be found on the NI support page: https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/missing-authorization-checks-in-ni-veristand-gateway.html

Who is affected

NI VeriStand 2024 Q2 and all earlier versions

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Ni Veristand

    APP
    Ni
    2024≤ 2024
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2024-6793CRITICAL9.8PL ✓ten sam produkt

RCE przez niebezpieczną deserializację w NI VeriStand DataLogging Server

CVE-2024-6794CRITICAL9.8PL ✓ten sam produkt

RCE przez deserializację danych w NI VeriStand Waveform Streaming Server

CVE-2024-6791HIGH7.8ten sam produkt

A directory path traversal vulnerability exists when loading a vsmodel file in NI VeriStand that may result in...

CVE-2024-6805HIGH7.5ten sam produkt

The NI VeriStand Gateway is missing authorization checks when an actor attempts to access File Transfer resour...

CVE-2023-5136MEDIUM5.5ten sam produkt

An incorrect permission assignment in the TopoGrafix DataPlugin for GPX could result in information disclosure...