LabVIEW is a system design and development platform released by National Instruments. The software is widely used to create applications for data acquisition, instrument control and industrial automation. Talos is disclosing the presence of a code execution vulnerability which can be triggered by opening specially crafted VI files, the proprietary file format used by LabVIEW.
TALOS-2017-0273 code execution vulnerability (CVE-2017-2779)
The VI file format describes various systems implemented in LabVIEW. Although there is no published specification for the file format, inspecting the files shows that they contain a section named ‘RSRC’, presumably containing resource information. Modulating the values within this section of a VI file can cause a controlled looping condition resulting in an arbitrary null write. This vulnerability can be used by an attacker to create a specially crafted VI file that when opened results in the execution of code supplied by the attacker.
National Instruments does not consider that this issue constitutes a vulnerability in their product, since any .exe like file format can be modified to replace legitimate content with malicious and has declined to release a patch. Talos disagrees. There are similarities between this vulnerability and the .NET PE loader vulnerability CVE-2007-0041 which was patched in MS07-040. Additionally, many users may be unaware that VI files are analogous to .exe files and should be accorded the same security requirements.
Known vulnerable versions:
LabVIEW 2016 version 16.0
We have previously disclosed a vulnerability in the same software. As with the previous disclosure, organisations should be aware that proprietary file formats without a published specification are nevertheless amenable to inspection to identify vulnerabilities. The consequences of a successful compromise of a system that interacts with the physical world, such as a data acquisition and control systems, may be critical to safety. Organisations that deploy such systems, even as pilot projects, should be aware of the risk posed by vulnerabilities such as these and adequately protect systems.
The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.