CVE-2024-6675
📋 TL;DR
A deserialization vulnerability in NI VeriStand allows remote code execution when a user opens a malicious project file. This affects VeriStand 2024 Q2 and earlier versions, potentially compromising systems running this industrial automation software.
💻 Affected Systems
- NI VeriStand
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the VeriStand host, potentially leading to industrial process disruption, data theft, or lateral movement within operational technology networks.
Likely Case
Local privilege escalation or system compromise on the workstation where the malicious project file is opened, allowing attackers to steal credentials, install malware, or pivot to other systems.
If Mitigated
Limited impact with proper user training and file validation, potentially resulting in failed exploitation or isolated application crash.
🎯 Exploit Status
Exploitation requires social engineering to trick users into opening malicious files. No authentication bypass needed beyond user interaction.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to latest version beyond 2024 Q2
Restart Required: Yes
Instructions:
1. Download latest NI VeriStand update from NI website. 2. Run installer with administrative privileges. 3. Restart system after installation completes.
🔧 Temporary Workarounds
Restrict project file execution
windowsConfigure application control to restrict execution of VeriStand project files from untrusted sources
Use Windows AppLocker or similar to restrict .vsproj file execution
User awareness training
allTrain users to only open project files from trusted sources and verify file integrity
🧯 If You Can't Patch
- Implement strict application whitelisting to prevent unauthorized VeriStand execution
- Isolate VeriStand systems from critical networks and implement network segmentation
🔍 How to Verify
Check if Vulnerable:
Check VeriStand version in Help > About. If version is 2024 Q2 or earlier, system is vulnerable.Check Version:
Open NI VeriStand and navigate to Help > About to view version informationVerify Fix Applied:
Verify VeriStand version is updated beyond 2024 Q2 in Help > About menu.📡 Detection & Monitoring
Log Indicators:
- Unexpected VeriStand process crashes
- Suspicious file access patterns for .vsproj files
- Unusual network connections from VeriStand process
Network Indicators:
- Outbound connections from VeriStand to unexpected external IPs
- Unusual protocol usage from engineering workstations
SIEM Query:
Process Creation where Image contains 'veristand' AND CommandLine contains '.vsproj' from untrusted sources🔗 References
- https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/deserialization-of-untrusted-data-vulnerability-in-ni-veristand-project-file.html
- https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/deserialization-of-untrusted-data-vulnerability-in-ni-veristand-project-file.html
