LabVIEW 64-bit LvVariantUnflatten Vulnerability

Overview

NI has released software patches for a security vulnerability that affects 64-bit versions of LabVIEW software.

Background

The LvVariantUnflatten function in 64-bit versions of LabVIEW prior to LabVIEW 2017 is susceptible to a heap memory corruption vulnerability. A specially crafted VI file can cause a attacker-controlled amount of heap space to be overwritten when the VI file is loaded. Exploitation could lead to arbitrary code execution.

 

Solution

NI has provided patches for LabVIEW 2016, LabVIEW 2015 SP1 and 2014 SP1.  NI recommends that you install these patches. There are no plans to patch any earlier versions.

 

Mitigation

You can reduce the likelihood of exploitation by adhering to Security Best Practices for LabVIEW VI Files.

 

CVSS Score

7.8 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

Patch Download Locations

LabVIEW 2016 f2 Patch

LabVIEW 2015 SP1 f7 Patch

LabVIEW 2014 SP1 f10 Patch

 

Related Links

CVE-2017-2775

TALOS-2017-0269

Security Best Practices for LabVIEW VI Files

 

Revision History

5/2/2017 - Initial

7/24/2017 - Updated for LabVIEW 2014 SP1 f10 Patch