Severity: HIGH
Description: A deserialization of untrusted data vulnerability exists in NI G Web Development Software that may result in arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted project file. This vulnerability affects G Web Development Software 2022 Q3 and prior versions.
CVSS Score: 7.8
B
No data available.
No data available.
1. Risk Assessment
The vulnerability CVE-2024-12742 is a deserialization of untrusted data flaw within NI G Web Development Software. This means the software doesn’t properly validate data it receives, allowing an attacker to potentially execute arbitrary code. The CVSS score of 7.8 (HIGH) indicates a significant risk. Exploitation requires user interaction – specifically, a user opening a crafted project file – making it moderately easy to exploit if an attacker can successfully deliver the malicious file. The impact is high across the board: Confidentiality, Integrity, and Availability could all be compromised if the attacker successfully executes code. Business impact could range from data theft and modification to complete system compromise, potentially disrupting development workflows and impacting product timelines. The EPSS score of 0.005070000 suggests a relatively low, but still present, probability of exploitation in the wild.
2. Potential Attack Scenarios
An attacker could craft a malicious G Web Development Software project file containing a serialized object with malicious code embedded within it. This file could then be delivered to a target user via email, shared network drive, or through a web download. When the user opens the project file within the vulnerable G Web Development Software, the deserialization process will execute the embedded malicious code. The attacker could leverage this to gain control of the user’s system, potentially installing malware, stealing credentials, or modifying project data. The attacker could, for example, install a keylogger to capture user credentials used within the G Web Development Software environment or inject ransomware to encrypt project files, disrupting development efforts.
3. Mitigation Recommendations
The primary mitigation is to upgrade to a version of NI G Web Development Software newer than 2022 Q3. National Instruments provides updates and patches available through their support portal. All users of G Web Development Software should update immediately. In addition, implement a robust file vetting process for project files received from external sources. Users should be wary of opening project files from unknown or untrusted sources. Consider implementing application control to restrict which applications can execute on developer workstations, limiting the blast radius should exploitation occur. Further details and downloads can be found on the NI support website: https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/deserialization-of-untrusted-data-vulnerability-in-ni-g-web-deve.html
4. Executive Summary
NI G Web Development Software is vulnerable to a high-severity flaw (CVE-2024-12742) that could allow an attacker to execute arbitrary code on a user’s system. This vulnerability is triggered when a user opens a specially crafted project file. Successful exploitation could lead to data theft, modification, or complete system compromise, potentially impacting development workflows and project timelines. We recommend immediately updating to the latest version of G Web Development Software (newer than 2022 Q3) to mitigate this risk. Vigilance regarding the source of project files is also important. Addressing this vulnerability is crucial to protecting our development environment and ensuring the continued integrity and availability of our projects.