A code execution flaw in LabVIEW will remain unpatched

Security researchers at Cisco Talos have discovered a code execution issue in LabVIEW software that will remain unpatched.

Security researchers at Cisco Talos have discovered a code execution vulnerability in National Instruments LabVIEW system design and development platform.

The LabVIEW engineering software is widely adopted for applications that require test, measurement, and control.

The vulnerability tracked as CVE-2017-2779, could be exploited by tricking victims into opening specially crafted VI files that is the proprietary file format used by the popular software.

“An exploitable memory corruption vulnerability exists in the RSRC segment parsing functionality of LabVIEW. A specially crafted VI file can cause an attacker controlled looping condition resulting in an arbitrary null write. An attacker controlled VI file can be used to trigger this vulnerability and can potentially result in code execution.” reads the security advisory published by Talos.

An attacker can modify values within this section of a VI file to trigger a controlled looping condition resulting in an arbitrary null write. In this way, the attacker use a specially crafted VI file that when opened can trigger the flaw and force the execution of the attacker’s code.

This is the second vulnerability discovered by Talos in the LabVIEW software this year, the first one tracked as CVE-2017-2775 was fixed in March.

CISCO Talos reported the flaw to the National Instruments in January, but the vendor will not fix it because it does not consider it a vulnerability.

“National Instruments does not consider that this issue constitutes a vulnerability in their product, since any .exe like file format can be modified to replace legitimate content with malicious and has declined to release a patch.” continues Cisco Talos report.”

““Many (LabVIEW) users may be unaware that VI files are analogous to .exe files and should be accorded the same security requirements,” 

Unfortunately, many users might ignore that VI files are analogous to .exe files and that can be exploited to execute malicious code.

According to Talos experts the vulnerability is similar to the .NET PE loader vulnerability CVE-2007-0041 that Microsoft addressed with MS07-040.

“The consequences of a successful compromise of a system that interacts with the physical world, such as a data acquisition and control systems, may be critical to safety. Organizations that deploy such systems, even as pilot projects, should be aware of the risk posed by vulnerabilities such as these and adequately protect systems,” concluded Talos.

The vulnerability affects the LabVIEW 2016 version 16.0.

Talos released the Snort Rules: 41368- 41369 to detect exploitation attempts,

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – hacking, LabVIEW)

[adrotate banner=”12″]