CVE-2023-4601: Stack-based Buffer Overflow in NI System Configuration

Overview

A stack-based buffer overflow vulnerability exists in NI System Configuration that could result in information disclosure and/or arbitrary code execution. Successful exploitation requires that an attacker can provide a specially crafted response. This affects NI System Configuration 2023 Q3 and all previous versions. This vulnerability is identified as CVE-2023-4601.

This vulnerability applies to Windows systems only. NI System Configuration Runtime, which includes the issue, is installed with many NI drivers and software products. Refer to the Mitigation Guidance section for identifying if mxRmCfg.dll is installed and the version.

NI strongly recommends upgrading the affected software to fix against this vulnerability.

• Mitigation Guidance
• Affected Products
• CVSS Score
• Further Information
• Acknowledgements
• Additional Resources

To determine the version of NI System Configuration installed:

1. Navigate to <Program Files(x86)>\National Instruments\Shared\MAX\Bin\
2. Right-click on file mxRmCfg.dll and select Properties.
3. In the Properties window, go to the Details tab. Note the version listed as the Product Version.

If the version is prior to 23.8, refer to the Affected Products table below for what software to download and install to upgrade the affected software.

At NI, we view the security of our products as an important part of our commitment to our customers. Go to ni.com/security to stay informed and act upon security alerts and issues.

This issue was reported by Anonymous working with Trend Micro Zero Day Initiative. NI would like to thank Zero Day Initiative for reporting this issue and working with us on coordinated disclosure.