LabVIEW is a system design and development platform issued by National Instruments. The software is publicly used to build applications for data acquisition, instrument control and industrial automation.
Talos security researchers have discovered a code execution vulnerability that can be triggered by opening specially crafted VI files (a file format used by LabVIEW), which allow a remote attacker to execute arbitrary code.
“The VI file format describes various systems implemented in LabVIEW. Although there is no published specification for the file format, inspecting the files shows that they contain a section named ‘RSRC’, presumably containing resource information. Modulating the values within this section of a VI file can cause a controlled looping condition resulting in an arbitrary null write. This vulnerability can be used by an attacker to create a specially crafted VI file that when opened results in the execution of code supplied by the attacker.”
Security researchers have successfully tested the flaw on LabVIEW 2016 version 16.0, but National Instruments has declined to acknowledge this problem as a flaw in their product and had no intentions to publish any patch to fix the flaw.
“National Instruments does not consider that this issue constitutes a vulnerability in their product, since any .exe like file format can be modified to replace legitimate content with malicious and has declined to release a patch.”
Users are recommended to not open any VI file received via an email.