// For flags

CVE-2024-6122

Incorrect Default Directory Permissions for NI SystemLink Redis Service

Severity Score

5.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

An incorrect permission in the installation directory for the shared NI SystemLink Server KeyValueDatabase service may result in information disclosure via local access. This affects NI SystemLink Server 2024 Q1 and prior versions. It also affects NI FlexLogger 2023 Q2 and prior versions which installed this shared service.

Un permiso incorrecto en el directorio de instalación para el servicio compartido NI SystemLink Server KeyValueDatabase puede resultar en la divulgación de información a través del acceso local. Esto afecta a NI SystemLink Server 2024 Q1 y versiones anteriores. También afecta a NI FlexLogger 2023 Q2 y versiones anteriores que instalaron este servicio compartido.

This vulnerability allows local attackers to disclose sensitive information on affected installations of NI FlexLogger. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the configuration of Redis. The issue results from the incorrect assignment of permissions to access Redis credentials. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise.

*Credits: 06fe5fd2bc53027c4a3b7e395af0b850e7b8a044 working with Trend Micro Zero Day Initiative
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
Poc
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-06-18 CVE Reserved
  • 2024-07-22 CVE Published
  • 2024-08-01 CVE Updated
  • 2024-09-11 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-276: Incorrect Default Permissions
CAPEC
  • CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
NI
Search vendor "NI"
 SystemLink Server
Search vendor "NI" for product "SystemLink Server"
 <= 24.1
Search vendor "NI" for product "SystemLink Server" and version " <= 24.1"
en
Affected
NI
Search vendor "NI"
 FlexLogger
Search vendor "NI" for product "FlexLogger"
 <= 23.2
Search vendor "NI" for product "FlexLogger" and version " <= 23.2"
en
Affected