Hole in NI’s LabVIEW

Thursday, March 23, 2017 @ 03:03 PM gHale

There is a high severity code execution vulnerability in National Instruments’ LabVIEW system design software, researchers said.

LabVIEW 2016 version 16.0 suffers from a heap-based buffer overflow vulnerability which can end up triggered with a specially crafted VI file (a LabVIEW specific format) that causes a user-controlled value to be used as a loop terminator, said researchers at Cisco’s Talos.

Siemens Updates SIMATIC Fixes
Moxa Updates NPort Fix
Rockwell Fixes FactoryTalk Hole
Rockwell Clears Workbench Vulnerability

By getting a targeted user to open a malicious VI file, a remote attacker can execute arbitrary code. Cisco created an advisory containing technical details about the flaw, which has a CVE-2017-2775 case number. The CVSS score is 7.5.

“Since LabVIEW sees wide usage in the automation of data acquisition and control systems, an attacker who successfully exploits a LabVIEW vulnerability may be able to gain a toehold on a device controlling a physical system,” Talos researchers said in a blog post.

The vulnerability came to National Instruments January 13 and it ended up disclosed on March 22, but it’s unclear if a patch is available. An update released by NI does address a memory corruption issue that fits the description.

“Organizations using this and similar software to control physical systems need to bear in mind the possibility of attackers exploiting vulnerabilities in control software to gain access to physical systems,” Talos researcher said in the blog post.

“Equally, organizations should remember that proprietary file formats do not protect against software vulnerabilities. Even in the absence of a published file format specification vulnerabilities triggered by malicious files may still be discovered,” the researchers said.

Leave a Reply

You must be logged in to post a comment.