NI has implemented a fix for a crash that can occur in LabVIEW due to incomplete input validation of Virtual Instrument (VI) files. Links to relevant patches are included at the bottom of this page.
LabVIEW 2017
LabVIEW 2016
LabVIEW 2015
LabVIEW 2014
A specially crafted VI file can cause the RSRC segment parsing function in LabVIEW to write an arbitrary number of zeros to memory when the VI file is opened by a user. This could result in memory corruption or a LabVIEW crash.
Memory corruption can be a security vulnerability. In this case, exploitation for code execution is very unlikely (for example, refer to the Common Consequences section of CWE-476) and has not been demonstrated. Exploitation for code execution is further mitigated by the operating system’s memory protections. The vulnerability cannot be exploited remotely because the RSRC segment parsing function is not bound to the network stack.
Always exercise the same precautions with VI files as you would with EXE and DLL files. Refer to Security Best Practices for LabVIEW VI Files for guidelines.
This issue was addressed in the following patches:
Note: Links above refer to the 32-bit Windows LabVIEW Development Environment patches only. Other platforms and bitnesses can be found by searching NI Product Downloads for the relevant patch.
5.3 - CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H
CVE-2017-2779
CWE-476
TALOS-2017-0273
Security Best Practices for LabVIEW VI Files