If you’re an engineer and use LabVIEW software to design machines or industrial equipments, you should be very suspicious while opening any VI (virtual instrument) file.
LabVIEW, developed by American company National Instruments, is a visual programming language and powerful system-design tool that is being used worldwide in hundreds of fields and provides engineers with a simple environment to build measurement or control systems
Security researchers from Cisco’s Talos Security Intelligence have discovered a critical vulnerability in LabVIEW software that could allow attackers to execute malicious code on a target computer, giving them full control of the system.
Identified as CVE-2017-2779, the code execution vulnerability could be triggered by opening a specially crafted VI file, a proprietary file format used by LabVIEW.
The vulnerability originates because of memory corruption issue in the RSRC segment parsing functionality of LabVIEW.
Modulating the values within the RSRC segment of a VI file causes a controlled looping condition, which results in an arbitrary null write.
“A specially crafted LabVIEW virtual instrument file (with the *.vi extension) can cause an attacker controlled looping condition resulting in an arbitrary null write,” Talos researchers explain.
“An attacker controlled VI file can be used to trigger this vulnerability and can potentially result in code execution.”
Talos researchers have successfully tested the vulnerability on LabVIEW 2016 version 16.0, but National Instruments has refused to consider this issue as a vulnerability in their product and had no plans to release any patch to address the flaw.
However, the issue should not be ignored, because the threat vector is almost similar to many previously disclosed Microsoft Office vulnerabilities, in which victims got compromised after opening malicious MS Word file received via an email or downloaded from the Internet.
“The consequences of a successful compromise of a system that interacts with the physical world, such as a data acquisition and control systems, may be critical to safety,” the researchers write.
“Organisations that deploy such systems, even as pilot projects, should be aware of the risk posed by vulnerabilities such as these and adequately protect systems.”
Since there is no patch available, the LabVIEW users are left with only one option—be very careful while opening any VI file you receive via an email.
For more technical details about the vulnerability, you can head on to Cisco Talos’ advisory.