An out of bounds write due to missing bounds checks in LabVIEW may result in remote code execution. Successful exploitation requires an attacker to provide a user with a specially crafted VI. These vulnerabilities affect LabVIEW 2024 Q1 and prior versions.
These vulnerabilities are identified as CVE-2024-23608, CVE-2024-23610, and CVE-2024-23611.
NI strongly recommends patching the affected software to mitigate this vulnerability. Refer to the Affected Products section to download the update.
CVE-2024-23608– 7.8 - CVSS:3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2024-23610– 7.8 - CVSS:3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2024-23611– 7.8 - CVSS:3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
At NI, we view the security of our products as an important part of our commitment to our customers. Go to ni.com/security to stay informed and act upon security alerts and issues.
NI would like to thank 06fe5fd2bc53027c4a3b7e395af0b850e7b8a044 working with Trend Micro Zero Day Initiative for reporting this issue and working with us on coordinated disclosure.
| Product Version | Mitigation |
|---|---|
| LabVIEW 2024 | Install LabVIEW 2024 Q1 Patch 1 or later from NI Package Manager or Software Downloads |
| LabVIEW 2023 | Pending |
| LabVIEW 2022 | Pending |
| LabVIEW 2021 | Pending |