A stack-based buffer overflow vulnerability has been discovered in the NI I/O Trace Tool, identified as CVE-2024-5602. This flaw arises from a missing bounds check, which can lead to arbitrary code execution if an attacker provides a specially crafted nitrace file to a user. The issue affects versions 24.3 and earlier of the NI I/O Trace Tool, which is a component of the NI System Configuration utilities installed with various NI software products. The vulnerability is specific to Windows systems.
The NI I/O Trace Tool, formerly known as NI Spy, is widely used for troubleshooting and debugging within NI software environments. This vulnerability is rated with a CVSS score of 7.8, indicating a high severity level due to its potential impact on confidentiality, integrity, and availability. Successful exploitation of this flaw requires an attacker to deliver a malicious nitrace file, which then allows them to execute arbitrary code on the affected system. This could lead to unauthorized access or control over the system, posing a significant security risk.
NI has strongly advised users to upgrade to NI System Configuration 2024 Q3 or later versions to address this vulnerability. The update can be accessed via NI Package Manager or NI’s Software Downloads portal. Applying this update is crucial for mitigating the risk and ensuring that systems remain secure against potential exploitation of the identified vulnerability.
The discovery of this vulnerability underscores the critical need for regular software updates and vigilance in maintaining system security. Users are encouraged to review NI’s mitigation guidance and take prompt action to upgrade their software. By adhering to these recommendations, users can better protect their systems from future threats and vulnerabilities.