CVE-2023-4570 - Vulnerability Details - OpenCVE

An improper access restriction in NI MeasurementLink Python services could allow an attacker on an adjacent network to reach services exposed on localhost. These services were previously thought to be unreachable outside of the node. This affects measurement plug-ins written in Python using version 1.1.0 of the ni-measurementlink-service Python package and all previous versions.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00113.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Ni	Measurementlink

Configuration 1 [-]

cpe:2.3:a:ni:measurementlink:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-2628	An improper access restriction in NI MeasurementLink Python services could allow an attacker on an adjacent network to reach services exposed on localhost. These services were previously thought to be unreachable outside of the node. This affects measurement plug-ins written in Python using version 1.1.0 of the ni-measurementlink-service Python package and all previous versions.
Github GHSA	GHSA-3f48-9j7q-q2gv	NI MeasurementLink Python Services Improper Access Restriction vulnerability

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.ni.com/en/support/documentation/supplemental/23/improper-restriction-in-ni-measurementlink-python-services.html

History

Thu, 19 Sep 2024 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: NI

Published: 2023-10-05T15:26:45.467Z

Updated: 2024-09-19T18:53:34.207Z

Reserved: 2023-08-28T19:32:41.324Z

Link: CVE-2023-4570

Vulnrichment

Updated: 2024-08-02T07:31:06.617Z

NVD

Status : Modified

Published: 2023-10-05T16:15:12.357

Modified: 2024-11-21T08:35:27.013

Link: CVE-2023-4570

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-4570", "assignerOrgId": "bca5b2e8-03a4-4781-b4ca-c6a078c0bfd4", "state": "PUBLISHED", "assignerShortName": "NI", "dateReserved": "2023-08-28T19:32:41.324Z", "datePublished": "2023-10-05T15:26:45.467Z", "dateUpdated": "2024-09-19T18:53:34.207Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["Python Services"], "product": "MeasurementLink ", "vendor": "NI", "versions": [{"lessThanOrEqual": "1.1.0", "status": "affected", "version": "1.0.0", "versionType": "1.1.1"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">An improper access restriction in NI MeasurementLink Python services could allow an attacker on an adjacent network to reach services exposed on localhost. These services were previously thought to be unreachable outside of the node. This affects measurement plug-ins written in Python using version 1.1.0 of the </span><span style=\"background-color: rgb(255, 255, 255);\">ni-measurementlink-service</span><span style=\"background-color: rgb(255, 255, 255);\"> Python package and all previous versions.</span><br>"}], "value": "An improper access restriction in NI MeasurementLink Python services could allow an attacker on an adjacent network to reach services exposed on localhost. These services were previously thought to be unreachable outside of the node. This affects measurement plug-ins written in Python using version 1.1.0 of the ni-measurementlink-service\u00a0Python package and all previous versions.\n"}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-420", "description": "CWE-420 Unprotected Alternate Channel", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "bca5b2e8-03a4-4781-b4ca-c6a078c0bfd4", "shortName": "NI", "dateUpdated": "2023-10-05T15:26:45.467Z"}, "references": [{"url": "https://www.ni.com/en/support/documentation/supplemental/23/improper-restriction-in-ni-measurementlink-python-services.html"}], "source": {"discovery": "UNKNOWN"}, "title": "Improper Restriction in NI MeasurementLink Python Services", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:31:06.617Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.ni.com/en/support/documentation/supplemental/23/improper-restriction-in-ni-measurementlink-python-services.html", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-19T18:53:21.646541Z", "id": "CVE-2023-4570", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-19T18:53:34.207Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.ni.com/en/support/documentation/supplemental/23/improper-restriction-in-ni-measurementlink-python-services.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:31:06.617Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-4570", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-19T18:53:21.646541Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-19T18:53:29.529Z"}}], "cna": {"title": "Improper Restriction in NI MeasurementLink Python Services", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "NI", "modules": ["Python Services"], "product": "MeasurementLink ", "versions": [{"status": "affected", "version": "1.0.0", "versionType": "1.1.1", "lessThanOrEqual": "1.1.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.ni.com/en/support/documentation/supplemental/23/improper-restriction-in-ni-measurementlink-python-services.html"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "An improper access restriction in NI MeasurementLink Python services could allow an attacker on an adjacent network to reach services exposed on localhost. These services were previously thought to be unreachable outside of the node. This affects measurement plug-ins written in Python using version 1.1.0 of the ni-measurementlink-service\u00a0Python package and all previous versions.\n", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">An improper access restriction in NI MeasurementLink Python services could allow an attacker on an adjacent network to reach services exposed on localhost. These services were previously thought to be unreachable outside of the node. This affects measurement plug-ins written in Python using version 1.1.0 of the </span><span style=\"background-color: rgb(255, 255, 255);\">ni-measurementlink-service</span><span style=\"background-color: rgb(255, 255, 255);\"> Python package and all previous versions.</span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-420", "description": "CWE-420 Unprotected Alternate Channel"}]}], "providerMetadata": {"orgId": "bca5b2e8-03a4-4781-b4ca-c6a078c0bfd4", "shortName": "NI", "dateUpdated": "2023-10-05T15:26:45.467Z"}}}, "cveMetadata": {"cveId": "CVE-2023-4570", "state": "PUBLISHED", "dateUpdated": "2024-09-19T18:53:34.207Z", "dateReserved": "2023-08-28T19:32:41.324Z", "assignerOrgId": "bca5b2e8-03a4-4781-b4ca-c6a078c0bfd4", "datePublished": "2023-10-05T15:26:45.467Z", "assignerShortName": "NI"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ni:measurementlink:*:*:*:*:*:*:*:*", "matchCriteriaId": "8731F703-66B3-41C9-BA87-1563482F6AE5", "versionEndExcluding": "1.1.1", "versionStartIncluding": "1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An improper access restriction in NI MeasurementLink Python services could allow an attacker on an adjacent network to reach services exposed on localhost. These services were previously thought to be unreachable outside of the node. This affects measurement plug-ins written in Python using version 1.1.0 of the ni-measurementlink-service\u00a0Python package and all previous versions.\n"}, {"lang": "es", "value": "Una restricci\u00f3n de acceso inadecuada en los servicios de NI MeasurementLink Python podr\u00eda permitir que un atacante en una red adyacente acceda a servicios expuestos en localhost. Anteriormente se pensaba que estos servicios eran inalcanzables fuera del nodo. Esto afecta a los complementos de medici\u00f3n escritos en Python que utilizan la versi\u00f3n 1.1.0 del paquete Python ni-measurementlink-service y todas las versiones anteriores."}], "id": "CVE-2023-4570", "lastModified": "2024-11-21T08:35:27.013", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@ni.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-05T16:15:12.357", "references": [{"source": "security@ni.com", "tags": ["Vendor Advisory"], "url": "https://www.ni.com/en/support/documentation/supplemental/23/improper-restriction-in-ni-measurementlink-python-services.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.ni.com/en/support/documentation/supplemental/23/improper-restriction-in-ni-measurementlink-python-services.html"}], "sourceIdentifier": "security@ni.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-420"}], "source": "security@ni.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}