A new vulnerability has been found in National Instrument’s LabVIEW, and it won’t be getting patched
Recently, a team of security researchers at Cisco Talos have discovered a code execution vulnerability in the LabVIEW system design and development platform, made by National Instruments. The LabVIEW engineering software is frequently used for applications that require test, measurement, and control. The vulnerability is labeled as CVE-2017-2779, and is exploited by tricking victims into opening specially crafted VI (virtual instrument) files, the proprietary file format used by LabVIEW.
Through the exploitation of this vulnerability, attackers can modify specific values within a VI file in order to trigger a null write, and consequently force the arbitrary execution of any malicious code involved in the attack. For this reason, VI files can essentially be seen as analogous to .exe files, as they can both be easily manipulated to execute malicious code.
This is the second vulnerability of the year for LabView, the former being fixed in March, although National Instruments does not intend on patching this one, as it reportedly does not see it as a vulnerability. For now, this vulnerability will remain unpatched, leaving many companies and other users susceptible to threats.