Incomplete RSRC Validation in LabVIEW

NI has implemented a fix for a crash that can occur in LabVIEW due to incomplete input validation of Virtual Instrument (VI) files. Links to relevant patches are included at the bottom of this page.

 

Affected Products

LabVIEW 2017
LabVIEW 2016
LabVIEW 2015
LabVIEW 2014

 

Background

A specially crafted VI file can cause the RSRC segment parsing function in LabVIEW to write an arbitrary number of zeros to memory when the VI file is opened by a user. This could result in memory corruption or a LabVIEW crash.

Memory corruption can be a security vulnerability. In this case, exploitation for code execution is very unlikely (for example, refer to the Common Consequences section of CWE-476) and has not been demonstrated. Exploitation for code execution is further mitigated by the operating system’s memory protections. The vulnerability cannot be exploited remotely because the RSRC segment parsing function is not bound to the network stack.

 

Mitigation

Always exercise the same precautions with VI files as you would with EXE and DLL files. Refer to Security Best Practices for LabVIEW VI Files for guidelines.

 

Available Patches

This issue was addressed in the following patches:

LabVIEW 2014 SP1 f11

LabVIEW 2015 SP1 f9

LabVIEW 2016 f4

LabVIEW 2017 f2

Note: Links above refer to the 32-bit Windows LabVIEW Development Environment patches only. Other platforms and bitnesses can be found by searching NI Product Downloads for the relevant patch. 

 

CVSS Score

5.3 - CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H

 

Related Links

CVE-2017-2779
CWE-476
TALOS-2017-0273
Security Best Practices for LabVIEW VI Files

Was this information helpful?

Yes

No