CVE-2020-25191 – CVE-2020-25191 is an incorrect default permissi... (How to Fix)

Q: What is the severity of CVE-2020-25191?

CVE-2020-25191 has a CVSS score of 7.5 (HIGH). CVE-2020-25191 is an incorrect default permissions vulnerability in NI CompactRIO driver API that allows unauthenticated remote attackers to trigger a reboot function. This affects CompactRIO systems running driver versions prior to 20.5, potentially causing denial of service in industrial control environments.

📋 TL;DR

CVE-2020-25191 is an incorrect default permissions vulnerability in NI CompactRIO driver API that allows unauthenticated remote attackers to trigger a reboot function. This affects CompactRIO systems running driver versions prior to 20.5, potentially causing denial of service in industrial control environments.

💻 Affected Systems

Products:

NI CompactRIO

Versions: Driver versions prior to 20.5

Operating Systems: NI Linux Real-Time

Default Config Vulnerable: ⚠️ Yes

Notes: Affects default installations where the vulnerable API endpoint is accessible over the network.

📦 What is this software?

Compactrio Firmware by Ni

View all CVEs affecting Compactrio Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Uninterrupted denial-of-service attacks causing repeated reboots, disrupting critical industrial processes and potentially damaging equipment through improper shutdowns.

🟠

Likely Case

Temporary service disruption through remote reboot, causing downtime in industrial operations until manual intervention.

🟢

If Mitigated

Minimal impact with proper network segmentation and authentication controls preventing unauthorized access to the vulnerable API.

🌐 Internet-Facing: HIGH - Directly exposed systems can be rebooted remotely by any internet-accessible attacker without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems can still trigger reboots, but requires network access to vulnerable systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request to vulnerable API endpoint can trigger reboot without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Driver version 20.5 or later

Vendor Advisory: https://www.ni.com/en/support/documentation/supplemental/21/compactrio-driver-security-update.html

Restart Required: Yes

Instructions:

1. Download NI CompactRIO driver version 20.5 or later from NI website. 2. Stop all CompactRIO services. 3. Install updated driver. 4. Reboot the CompactRIO system. 5. Verify version with 'ni-crio-version' command.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate CompactRIO systems from untrusted networks using firewalls or VLANs.

Access Control Lists

linux

Restrict network access to CompactRIO API endpoints to authorized IP addresses only.

iptables -A INPUT -p tcp --dport [API_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [API_PORT] -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate CompactRIO systems from all untrusted networks
Deploy network monitoring and intrusion detection for unauthorized reboot attempts

🔍 How to Verify

Check if Vulnerable:

Check driver version with command: 'ni-crio-version' and verify if version is below 20.5

Check Version:

ni-crio-version

Verify Fix Applied:

Confirm driver version is 20.5 or higher using 'ni-crio-version' command

📡 Detection & Monitoring

Log Indicators:

Unexpected system reboot events
Unauthorized API access attempts to reboot endpoint
Multiple reboot events in short timeframes

Network Indicators:

HTTP requests to CompactRIO API reboot endpoint from unauthorized sources
Unusual traffic patterns to industrial control system ports

SIEM Query:

source="compactrio" AND (event="reboot" OR api_access="unauthorized")

📊 Metadata

CVE ID: CVE-2020-25191

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-732

Published: December 11, 2020

Last Updated: November 21, 2024

🔗 References

https://us-cert.cisa.gov/ics/advisories/icsa-20-338-01 Mitigation,Third Party Advisory,US Government Resource
https://us-cert.cisa.gov/ics/advisories/icsa-20-338-01 Mitigation,Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-25191, you might also want to check these: