CVE-2023-4570: Improper Restriction in NI MeasurementLink Python Services

Overview

An improper access restriction in NI MeasurementLink Python services could allow an attacker on an adjacent network to reach services exposed on localhost. These services were previously thought to be unreachable outside of the node. This affects measurement plug-ins written in Python using version 1.1.0 of the ni-measurementlink-service Python package and all previous versions. This vulnerability is identified as CVE-2023-4570.

• Mitigation Guidance
• Affected Products
• CVSS Score
• Further Information
• Acknowledgements
• Additional Resources

NI strongly recommends upgrading the affected software. Refer to the Affected Products section for information on which components to upgrade.

To upgrade the ni-measurementlink-service Python package:

1. Terminate all measurement service processes.
   • To terminate statically registered measurement services, open Task Manager, select the Details tab, find the NationalInstruments.MeasurementLink.DiscoveryService.exe process, and select End task.
   • If you have manually launched any measurement services, terminate those as well.
2. Upgrade ni-measurementlink-service for each measurement plug-in project.
   • If the project has version constraints in a pyproject.toml or requirements.txt file, update the file to require ni-measurementlink-service version 1.1.1 or later.
   • If the project has a dependency lock file, update it. For example, if you are using the Poetry tool to manage your projects, run the poetry lock command.
   • Commit the updated files to version control, if applicable.
   • Upgrade or delete/re-create all virtual environments associated with the project. For example, if you are using Poetry, run the poetry install command to install the updated dependencies into the project’s virtual environment.
   • If you use PyInstaller to build EXEs for your measurement plug-ins, rebuild them.
3. Reinstall the updated measurement plug-ins to the MeasurementLink static registration directory (C:\ProgramData\National Instruments\MeasurementLink\Services).

You can confirm that the upgrade was applied by running your measurements and then checking the MeasurementLink log files located in C:\ProgramData\National Instruments\MeasurementLink\Logs.

• Affected versions of ni-measurementlink-service log the message “Measurement service hosted on port: nnnnn", where nnnnn is a placeholder for the TCP port number.
• Fixed versions of ni-measurementlink-service log the message “Measurement service listening on: http://[::1]:nnnnn”, where nnnnn is a placeholder for the TCP port number.

Product Version

Mitigation

NI MeasurementLink with Python measurement plug-ins using ni-measurementlink-service version 1.0.0, 1.0.1, or 1.1.0

Upgrade all Python measurement plug-ins to use ni-measurementlink-service version 1.1.1 or later

At NI, we view the security of our products as an important part of our commitment to our customers. Go to ni.com/security to stay informed and act upon security alerts and issues.

Was this information helpful?