LabVIEW

cancel
Showing results for 
Search instead for 
Did you mean: 

erl.exe causing vulnerability "Weak SSL/TLS Key Exchange | port 5673/tcp over SSL"

Hello all

where I work the latest Qualys security scan has identified a level 4 threat on our laptop running LabVIEW Professional Development System (2022 Q3) as "Weak SSL/TLS Key Exchange | port 5673/tcp over SSL" , this originates from erl.exe which keeps the 5673 port permanently open. Clearly our security team are not happy about this: are you aware of this issue? can it be fixed somehow? Thanks all. Regards

0 Kudos
Message 1 of 15
(1,811 Views)

While LabVIEW uses this executable (I think RabbitMQ), that executable is external to NI so they can't really fix it.

Bill
CLD
(Mid-Level minion.)
My support system ensures that I don't look totally incompetent.
Proud to say that I've progressed beyond knowing just enough to be dangerous. I now know enough to know that I have no clue about anything at all.
Humble author of the CLAD Nugget.
0 Kudos
Message 2 of 15
(1,807 Views)

They actually can and I’m sure the newest version of SystemLink uses a newer version of RabbitMQ. So upgrading that component could work. Or removing SystemLink from your system.

Rolf Kalbermatter  My Blog
DEMO, Electronic and Mechanical Support department, room 36.LB00.390
Message 3 of 15
(1,762 Views)

Thanks all for the replies...I am afraid I am on expert in security etc, I am only passing the message. I did not know there was a ERL program running and I do not want to tinker in the labVIEW installation ...unless anybody suggest what to do step by step, sorry again for my ignorance. Thanks 

0 Kudos
Message 4 of 15
(1,759 Views)

@rolfk wrote:

They actually can and I’m sure the newest version of SystemLink uses a newer version of RabbitMQ. So upgrading that component could work. Or removing SystemLink from your system.


I don't count that as "NI fixing it" but rather "NI applying a third party patch to address this issue".  I suppose it's just semantics.

Bill
CLD
(Mid-Level minion.)
My support system ensures that I don't look totally incompetent.
Proud to say that I've progressed beyond knowing just enough to be dangerous. I now know enough to know that I have no clue about anything at all.
Humble author of the CLAD Nugget.
0 Kudos
Message 5 of 15
(1,733 Views)

@billko wrote:

 

I don't count that as "NI fixing it" but rather "NI applying a third party patch to address this issue".  I suppose it's just

What is your proposal here? SystemLink uses RabbitMQ that is written in Erlang, but if the RabbitMQ developers even have a bit of sanity left they do not implement HTTP themselves but rather use an already available library, maybe in Erlang too but possibly also a binary dependency such as libcurl. This library for sure won’t implement encryption itself, that would be a sure way to introduce unfixable vulnerabilities. Most likely they use OpenSSL. Each of these dependencies is naturally a little older than the using component. Upgrading such dependencies in dependencies of dependencies for a bug fix release is nothing more than monkey patching. So the only thing is upgrading the entire first dependency with a new version. This is a major development step and pretty much the definition of a new version release, which means upgrading SystemLink (or deinstalling it if you don’t need it) is the most direct fix. Anything else is very unlikely to happen.

Rolf Kalbermatter  My Blog
DEMO, Electronic and Mechanical Support department, room 36.LB00.390
0 Kudos
Message 6 of 15
(1,719 Views)

All, thank you.

I do not have too much freedom in upgrading to a newer version lf LabVIEW to corporate agreement between my employer and NI. I am with version 20222Q3.

Also as LV is used by many employees like me they will have tis potential vulnerability. ....keeping PORTs open is never a good thing and I am surprised nobody has reported it as major issue. 

Qualys security scan is well known and so is the threat "Weak SSL/TLS Key Exchange | port 5673/tcp over SSL" ...how is it possible that it is up to the users to fix it? 

Thanks

Regards 

 

 

0 Kudos
Message 7 of 15
(1,711 Views)

Just uninstall SystemLink! I doubt you are using it in any form and flavor. It's unfortunate that the default LabVIEW installer is trying to push all these dependencies down a users throat and I'm sure NI needs to rethink this. SystemLink is a product (with fairly significant license costs if you use it, and those license costs might be justified in a large factory floor where you need some way to manage all the NI hardware from a central place) but most LabVIEW users never ever encounter it other than in such incidents such as a security scan. It should be an optional component for many reasons, such as making the pretty long installation process a bit smaller, not introducing into a system security sensitive components that are never really used, NI definitely not being a specialist in Erlang related tools and components, etc.

 

The very slight potential that a user will maybe, eventually, after some miracle, start to use a software like SystemLink and pay the associated license cost because it was already installed on his system absolutely doesn't weight up with the potential for conflicts, security vulnerabilities, outdated software components and millions of installation minutes wasted for something that is never used, but sits idling in the background whenever the computer is started up. It should be at least disabled by default until an according tool using it is started up or it is explicitly enabled in the configuration dashboard of SystemLink!

 

As to the merits of Qualys Security Scan, I have no idea. There are more such tools on the market than I care to learn about, and some of them tend to be more scareware than anything else, so claiming your specific tool is the one that should be used for auditing is always a tricky thing.

 

As to how to upgrade or get rid of SystemLink there are a few options:

 

1) upgrading SystemLink to a newer version: https://www.ni.com/en/support/downloads/software-products/download.systemlink.html

 

2) deinstalling it: Startup NI Package Manager (NIPM) and search for installed SystemLink components. Uninstall them! Some of the packages are only visible if you uncheck the Product only option and enable the Gear Icon>>Show full version numbers and hidden packages in the Installed tab of NIPM.

 

3) disabling its associated services and background tasks: Go to Windows Services and search for NI System Link related services. Stop them and disable them. This may have rather unexpected effects if you are not careful which services you disable.

 

And next time when you install LabVIEW, go through the various packages it wants to install and explicitly uncheck all SystemLink related packages.

Rolf Kalbermatter  My Blog
DEMO, Electronic and Mechanical Support department, room 36.LB00.390
0 Kudos
Message 8 of 15
(1,704 Views)

@rolfk wrote:

@billko wrote:

 

I don't count that as "NI fixing it" but rather "NI applying a third party patch to address this issue".  I suppose it's just

What is your proposal here? SystemLink uses RabbitMQ that is written in Erlang, but if the RabbitMQ developers even have a bit of sanity left they do not implement HTTP themselves but rather use an already available library, maybe in Erlang too but possibly also a binary dependency such as libcurl. This library for sure won’t implement encryption itself, that would be a sure way to introduce unfixable vulnerabilities. Most likely they use OpenSSL. Each of these dependencies is naturally a little older than the using component. Upgrading such dependencies in dependencies of dependencies for a bug fix release is nothing more than monkey patching. So the only thing is upgrading the entire first dependency with a new version. This is a major development step and pretty much the definition of a new version release, which means upgrading SystemLink (or deinstalling it if you don’t need it) is the most direct fix. Anything else is very unlikely to happen.


I didn't explain myself very well.  I meant it's NI's responsibility to fix the issue, but the issue wasn't caused by anything they did.  By mentioning "patch", I led you down a RabbitMQ hole that I did not intend.  My comment wasn't intended to cause a discussion about the ease of the fix, although I can see why it did.

Bill
CLD
(Mid-Level minion.)
My support system ensures that I don't look totally incompetent.
Proud to say that I've progressed beyond knowing just enough to be dangerous. I now know enough to know that I have no clue about anything at all.
Humble author of the CLAD Nugget.
0 Kudos
Message 9 of 15
(1,677 Views)

Hi Annnina

 

Thank you for escalating this concern. Is there a particular CVE associated with this finding you can share? I suspect this issue has been resolved in newer versions of LabVIEW that include a newer version of RabbitMQ (which pulls in erl.exe). 

 

Are there any concerns on your team to the potential of upgrading LabVIEW to resolve this issue? There are also a specific set of features that make use of RabbitMQ, which depending on your use case, can be disabled to mitigate this issue. If the upgrade is not possible we can go into more details whether this mitigation is feasible.

 

Thanks!

Mark

Mark
NI App Software R&D
0 Kudos
Message 10 of 15
(1,661 Views)