Keysight N8844A Data Analytics Web Service (Update A)
Act Now9.8ICS-CERT ICSA-23-115-01Apr 25, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A Java object deserialization vulnerability (CWE-502) exists in the Keysight N8844A Data Analytics Web Service and is inherited by 43+ downstream Keysight products including oscilloscopes (Infiniium, InfiniiVision), network analyzers (PNA, ENA), signal analyzers, embedded controllers, compliance test software, and wireless test systems. Successful exploitation requires network access to the device and allows remote code execution with the privileges of the web service process. Keysight has stated that older versions of impacted software are affected, with limited or no patching available for most products. The vendor recommends uninstalling vulnerable versions and implementing network isolation controls.
What this means
What could happen
An attacker with network access to a Keysight test and measurement device could deserialize malicious data, allowing remote code execution and complete control over the instrument. This could alter test results, corrupt measurement data, or disable critical testing operations.
Who's at risk
Organizations that use Keysight test and measurement equipment for RF/wireless testing, oscilloscopy, network analysis, or automotive compliance testing should care. This includes telecommunications companies, automotive suppliers, aerospace contractors, electronics manufacturers, and R&D labs. The affected products include oscilloscopes, signal analyzers, network analyzers, embedded controllers, and software suites used in test automation and compliance verification. This vulnerability has industry-wide reach across test and measurement sectors.
How it could be exploited
An attacker sends a specially crafted serialized object to the N8844A Data Analytics Web Service or any Keysight product using the vulnerable deserialization component. The service deserializes the untrusted data without validation, allowing the attacker to instantiate arbitrary objects and execute code on the device with the privileges of the web service process.
Prerequisites
- Network access to the Keysight device's web service port (typically 443)
- No authentication required to exploit the deserialization flaw
- Device must be running a vulnerable version of the software
Remotely exploitable over networkNo authentication requiredLow complexity attackJava object deserialization (CWE-502)Vendor states no patch available for most productsCVSS critical (9.8)Broad scope: affects 43+ Keysight software products
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (45)
45 pending
ProductAffected VersionsFix Status
N8844A Data Analytics Web Service: <=2.1.7351≤ 2.1.7351No fix yet
5G Test SW: vers:all/*All versionsNo fix yet
89600 Vector Signal Analysis SW: <June/20/2023<June/20/2023No fix yet
Arbitrary Waveform Generators: vers:all/*All versionsNo fix yet
Automotive Compliance Apps: <April/17/2023<April/17/2023No fix yet
Remediation & Mitigation
0/5
Do now
0/2HARDENINGUninstall all vulnerable Keysight software versions and discontinue their use immediately
WORKAROUNDRestrict network access to Keysight test instruments using host-based firewall rules; block unauthorized connections to the web service port
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGPerform a network discovery audit to identify all Keysight devices in your environment and verify their current software versions using the Keysight Product Lookup Tool
Long-term hardening
0/2HARDENINGIsolate Keysight test and measurement devices from the business network and the Internet; place them on a dedicated lab or test network
HARDENINGIf remote access to test equipment is required, use a VPN tunnel with authentication; do not expose the web service directly to the Internet
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/498a7fd3-0d64-47ae-8928-86189c790c95