From Saturday, Nov 23rd 7:00 PM CST - Sunday, Nov 24th 7:45 AM CST, ni.com will undergo system upgrades that may result in temporary service interruption.
We appreciate your patience as we improve our online experience.
From Saturday, Nov 23rd 7:00 PM CST - Sunday, Nov 24th 7:45 AM CST, ni.com will undergo system upgrades that may result in temporary service interruption.
We appreciate your patience as we improve our online experience.
NI has implemented a fix for a crash that can occur in LabVIEW due to incomplete input validation of Virtual Instrument (VI) files. Links to relevant patches are included at the bottom of this page.
LabVIEW 2017
LabVIEW 2016
LabVIEW 2015
LabVIEW 2014
A specially crafted VI file can cause the RSRC segment parsing function in LabVIEW to write an arbitrary number of zeros to memory when the VI file is opened by a user. This could result in memory corruption or a LabVIEW crash.
Memory corruption can be a security vulnerability. In this case, exploitation for code execution is very unlikely (for example, refer to the Common Consequences section of CWE-476) and has not been demonstrated. Exploitation for code execution is further mitigated by the operating system’s memory protections. The vulnerability cannot be exploited remotely because the RSRC segment parsing function is not bound to the network stack.
Always exercise the same precautions with VI files as you would with EXE and DLL files. Refer to Security Best Practices for LabVIEW VI Files for guidelines.
This issue was addressed in the following patches:
Note: Links above refer to the 32-bit Windows LabVIEW Development Environment patches only. Other platforms and bitnesses can be found by searching NI Product Downloads for the relevant patch.
5.3 - CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H
CVE-2017-2779
CWE-476
TALOS-2017-0273
Security Best Practices for LabVIEW VI Files