CVE-2024-1156 – This vulnerability involves incorrect directory... (How to Fix)

Q: What is the severity of CVE-2024-1156?

CVE-2024-1156 has a CVSS score of 7.8 (HIGH). This vulnerability involves incorrect directory permissions for the shared NI RabbitMQ service, allowing local authenticated users to read RabbitMQ configuration information. This could potentially lead to privilege escalation. It affects NI SystemLink software users with local access to vulnerable systems.

📋 TL;DR

This vulnerability involves incorrect directory permissions for the shared NI RabbitMQ service, allowing local authenticated users to read RabbitMQ configuration information. This could potentially lead to privilege escalation. It affects NI SystemLink software users with local access to vulnerable systems.

💻 Affected Systems

Products:

NI SystemLink

Versions: Specific versions not detailed in provided references; check NI advisory for exact affected versions

Operating Systems: Windows, Linux (where NI SystemLink is deployed)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects shared RabbitMQ service configuration in NI SystemLink deployments. Requires local authenticated access to the system.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local authenticated attacker reads sensitive RabbitMQ configuration, uses credentials or secrets found to escalate privileges to administrative level, potentially gaining full system control.

🟠

Likely Case

Local user accesses RabbitMQ configuration files containing service credentials, enabling unauthorized access to RabbitMQ management or other services.

🟢

If Mitigated

With proper access controls and monitoring, impact limited to configuration file access without successful privilege escalation.

🌐 Internet-Facing: LOW - This requires local authenticated access, not directly exploitable over internet.

🏢 Internal Only: HIGH - Local authenticated users (including potentially compromised accounts) can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local authenticated access and basic file system navigation skills to access improperly permissioned directories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check NI advisory for specific patched versions

Vendor Advisory: https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/incorrect-permissions-for-shared-systemlink-elixir-based-service.html

Restart Required: Yes

Instructions:

1. Review NI security advisory for affected versions. 2. Download and apply the latest NI SystemLink update from NI website. 3. Restart affected services/systems as required.

🔧 Temporary Workarounds

Adjust RabbitMQ directory permissions

linux

Manually correct permissions on RabbitMQ configuration directories to restrict access to authorized users only.

chmod 700 /path/to/rabbitmq/config/directory
chown rabbitmq:rabbitmq /path/to/rabbitmq/config/directory

Restrict local user access

all

Implement strict access controls to limit which local users can access systems running NI SystemLink.

🧯 If You Can't Patch

Implement strict principle of least privilege for local user accounts
Monitor access to RabbitMQ configuration directories and alert on unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check permissions on RabbitMQ configuration directories: 'ls -la /path/to/rabbitmq/config/' and verify only RabbitMQ service user has read/write access.

Check Version:

Check NI SystemLink version via NI software management tools or consult NI documentation for version checking commands.

Verify Fix Applied:

Verify directory permissions are corrected and only accessible by RabbitMQ service account. Test with non-privileged user attempting to read configuration files.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to RabbitMQ configuration files
File access logs showing non-RabbitMQ users reading configuration directories

Network Indicators:

Unusual RabbitMQ management interface access from unexpected local users

SIEM Query:

source="file_access_logs" AND (path="*rabbitmq*config*" OR filename="rabbitmq.config") AND user!="rabbitmq"

📊 Metadata

CVE ID: CVE-2024-1156

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-276

Published: February 20, 2024

Last Updated: February 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-1156, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Data Record Ad by Emerson

Flexlogger by Emerson

G Web Development Software by Emerson

Labview Nxg by Emerson

Labview Nxg by Emerson

Labview Nxg by Emerson

Specification Compliance Manager by Emerson

Static Test Software Suite by Emerson

Sts Software Bundle by Emerson

Systemlink Server by Emerson

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Adjust RabbitMQ directory permissions

Restrict local user access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities