Vulnerability discovered by Cory Duplantis of Cisco Talos.
Overview
LabVIEW is a system design and development platform released by National Instruments. The software is widely used to create applications for data acquisition, instrument control and industrial automation. Talos is disclosing the presence of a code execution vulnerability and a memory corruption vulnerability which can be triggered by opening specially crafted VI files, the proprietary file format used by LabVIEW. National Instruments have released a patch, LabVIEW 2016 f2 which should be applied.
TALOS-2017-0269 memory corruption vulnerability (CVE-2017-2775)
When processing the 'LastSavedTarget' segment of an input VI file, four bytes are read which are used for a loop condition to clear chunks of the heap structure internal to labView. If the LvVarientUnflatten function is supplied, with an invalid loop terminator, an attacker could clear internal heap chunks potentially leading to remote code execution.
Full details are available here.
Known vulnerable versions: LabVIEW 2016 version 16.0, 64 bit version only.
Discussion
Exploiting vulnerabilities in specialist file formats may be useful to attackers who are seeking to target specific individuals and systems within an organisation. Like all attacks, a vulnerability can only be exploited on systems on which the vulnerable software is present. Since LabVIEW is widely used in the automation of data acquisition and control systems, an attacker who successfully exploits a LabVIEW vulnerability may be able to gain a toehold on a device controlling a physical system.
Organizations using this and similar software to control physical systems need to bear in mind the possibility of attackers exploiting vulnerabilities in control software to gain access to physical systems. Equally, organizations should remember that proprietary file formats do not protect against software vulnerabilities. Even in the absence of a published file format specification vulnerabilities triggered by malicious files may still be discovered.
Coverage
The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.
Snort Rules: 41370-41371