Hello folks, i've recently discovered a critical vulnerability in the National Instruments Linux driver package, which opens up an remote code injection (software update) vulnerability. Classification: CRITICAL / 0day - easily exploitable Impact: Complete takeover of the OS itself Takeover of (potentially critical) industrial machinery Affected product(s): NI Linux Device Drivers / July 2018 http://www.ni.com/download/ni-linux-device-drivers-2018/7664/en/ Affected platforms(s): GNU/Linux - RHEL, SLES (other distros aren't supported anyways) Vulnerability: The product adds additional package repositories to the OS'es package manager, but disables signature checks and uses plain (unencrypted) HTTP for software downloads. Further details can be easily seen in the deployed package repository configuration file (ni-software-2018.repo). Attack vectors: The victim can be tricked to download/install manipulated updates, eg. via MITM, dns spoofing, etc - so the attacker can abuse software updates for direct malware deployment and also take over the whole operating system (eg. kernel) itself. Mitigation: #1: remove the package 'ni-software-2018' #2: make sure, the repo description files are removed: SLES: /etc/zypp/repos.d/ni-software-2018.repo /etc/zypp/vendors.d/ni.conf RHEL: /etc/yum/repos.d/ni-software-2018.repo #3: refresh the package manager index This removes the NI repository from the OS'es package manager - the NI software now can't be automatically installed/updated via package manager anymore. In case the operator still trusts the vendor enough to deploy it's software, this now has to be done manually (note: the packages can only be downloaded via insecure plain HTTP !). It's strongly adviced not to install any software from untrusted sources / via untrusted channels. If an system update (even a minor patch) via package manager was done in the meantime, it's *highly* adviced to carefully check all installed packages against the original repositories - the system easily could be compromised by now ! Solution: The vendor (NI) needs to setup proper package signing infrastructure, add it's public key to the repo configuration and enable gpgcheck. Final notes: Since NI is one of few vendors with special certifications, eg. ATEX, railway, etc, it's likely this hardware can be found in very critical infrastructure (eg. power plants, factories, etc) and those potentially could already be compromised by now via driver update. About the author: GNU/Linux veteran with strong background in software engineering, embedded systems, industrial automation, IT infrastructure. email: info@metux.net phone: +49-151-27565287 -- Enrico Weigelt, metux IT consult Free software and Linux embedded engineering info@metux.net -- +49-151-27565287