A bug in LabVIEW which may allow code execution by attackers has now been patched following a dispute between National Instruments and the Cisco Talos security team.
Last week, Cisco Talos released the details of the vulnerability to the public. In a security advisory, Talos said the bug, discovered by a member of the team, Cory Duplantis, could result in the potential execution of code by attackers.
According to Talos, the problem lies within LabVIEW's proprietary file format, .VI. The team says that the VI files contain a section called "RSRC," which is presumably used to store resource information. If the values of this section are manipulated, this can cause a looping condition resulting in an arbitrary null write and memory corruption.
Should an attacker create a specially crafted VI with altered values, the team says they may be able to execute code, which could, in turn, lead to system compromise, malware deployment, or surveillance.
Originally, National Instruments told Talos that this issue does not constitute a vulnerability, as "any .exe like file format can be modified to replace legitimate content with malicious [code]," and the vendor refused to issue a patch.
"There are similarities between this vulnerability and the .NET PE loader vulnerability CVE-2007-0041 which was patched in MS07-040," said Talos security lead Martin Lee. "Additionally, many users may be unaware that VI files are analogous to .exe files and should be accorded the same security requirements."
Now the problem has been made public, it seems that NI has had a change of heart, and issued a security advisory late last week informing users that the vulnerability has now been patched.
However, the vendor emphasized that despite the patch deployment, the prospect of the bug leading to code execution is "very unlikely."
"Memory corruption can be a security vulnerability," NI said. "In this case, exploitation for code execution is very unlikely [...] and has not been demonstrated. Exploitation for code execution is further mitigated by the operating system's memory protections."
"The vulnerability cannot be exploited remotely because the RSRC segment parsing function is not bound to the network stack," the company added.