Out of Bounds Write Due to Missing Bounds Check in LabVIEW

Overview

An out of bounds write due to missing bounds checks in LabVIEW may result in remote code execution.  Successful exploitation requires an attacker to provide a user with a specially crafted VI.  These vulnerabilities affect LabVIEW 2024 Q1 and prior versions.

 

These vulnerabilities are identified as CVE-2024-23608, CVE-2024-23610, and CVE-2024-23611.

Contents

Mitigation Guidance

NI strongly recommends patching the affected software to mitigate this vulnerability.  Refer to the Affected Products section to download the update.  

Affected Products

 

CVSS Score

CVE-2024-23608– 7.8 - CVSS:3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2024-23610– 7.8 - CVSS:3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2024-23611– 7.8 - CVSS:3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Further Information

At NI, we view the security of our products as an important part of our commitment to our customers.  Go to ni.com/security to stay informed and act upon security alerts and issues.

Acknowledgements

NI would like to thank 06fe5fd2bc53027c4a3b7e395af0b850e7b8a044 working with Trend Micro Zero Day Initiative for reporting this issue and working with us on coordinated disclosure.

Additional Resources

Product VersionMitigation
LabVIEW 2024Install LabVIEW 2024 Q1 Patch 1 or later from NI Package Manager or Software Downloads   
LabVIEW 2023Install LabVIEW 2023 Q3 Patch 3 or later from NI Package Manager or Software Downloads 
LabVIEW 2022Install LabVIEW 2022 Q3 Patch 1 or later from NI Package Manager or Software Downloads
LabVIEW 2021Install LabVIEW 2021 SP1 f2 or later from NI Package Manager or Software Downloads 
LabVIEW 2020 and priorNot in Mainstream Support

Was this information helpful?

Yes

No