NI has implemented a fix for a crash that can occur in LabVIEW due to incomplete input validation of Virtual Instrument (VI) files. Links to relevant patches are included at the bottom of this page.
A specially crafted VI file can cause the RSRC segment parsing function in LabVIEW to write an arbitrary number of zeros to memory when the VI file is opened by a user. This could result in memory corruption or a LabVIEW crash.
Memory corruption can be a security vulnerability. In this case, exploitation for code execution is very unlikely (for example, refer to the Common Consequences section of CWE-476) and has not been demonstrated. Exploitation for code execution is further mitigated by the operating system’s memory protections. The vulnerability cannot be exploited remotely because the RSRC segment parsing function is not bound to the network stack.
Always exercise the same precautions with VI files as you would with EXE and DLL files. Refer to Security Best Practices for LabVIEW VI Files for guidelines.
This issue was addressed in the following patches:
LabVIEW 2014 SP1 f11
LabVIEW 2015 SP1 f9
LabVIEW 2016 f4
LabVIEW 2017 f2
Note: Links above refer to the 32-bit Windows LabVIEW Development Environment patches only. Other platforms and bitnesses can be found by searching NI Product Downloads for the relevant patch.
5.3 - CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H
Security Best Practices for LabVIEW VI Files