LabVIEW

Considering that neither the CVE nor the NI knowledge-base article say anything about in which part this vulnerability occurs, it is pretty impossible to make any statement about how it could or could not affect a potential user. I would guess it involves VI Server, but that is a very uneducated guess with the lack of information that is present.

Update: https://www.zerodayinitiative.com/advisories/ZDI-24-289/ is a little more specific. It seems that part of the VI loading is not correctly parsing the (binary) VI file, which can result in loading data that can then be executed, when opening specially crafted VIs.

Rolf Kalbermatter
My Blog

I read this:

---

In this case, we think the impact is pretty small – to exploit this issue, someone will need to send a bad VI to someone to run on their machine, and that someone will have to receive it and run it in the LabVIEW environment. It will crash LabVIEW, but not make data available. It’s something we have to fix, but it doesn’t immediately create a problem for customers. We decided to make the 2024 fix available immediately, which we did, rather than wait for all versions be available.

---

Does anyone know if this applies to versions prior to LV2021?

The Affected Products list only lists 2024,2023,2022 and 2021.

However the CVE website says ...and prior versions, possibly lifted from the Description on the NI website that states the same.

I would certainly read it as it only affecting the 4 versions in the Affected Products list.

Nope, that is not valid to interpret it like that. NI only will check and verify currently supported versions. And supported versions are the latest and the previous 3. Anything else will not be verified, acknowledged or denied in any way!

My cautious guess is that it affects earlier versions too, possibly back to 8.0 or even earlier.

Rolf Kalbermatter
My Blog

---

@jcarmody wrote:

I read this:

---

In this case, we think the impact is pretty small – to exploit this issue, someone will need to send a bad VI to someone to run on their machine, and that someone will have to receive it and run it in the LabVIEW environment. It will crash LabVIEW, but not make data available. It’s something we have to fix, but it doesn’t immediately create a problem for customers. We decided to make the 2024 fix available immediately, which we did, rather than wait for all versions be available.

---

---

Where did you read this? I couldn't find it.

Also a bit confused how the CVE says this allows for remote code execution while this statement makes it seem like the buffer overflow just crashes LabVIEW and can't(?) be used to execute code.

---

---

---

Where did you read this? I couldn't find it.

---

I read it in an internal email from someone in NI.

Has anyone had to go through a Cyber Essentials Plus assessment with this CVE?

This requires you to apply any updates to software with a CVE score >7. We have had problems in the past with a CVE on LabVIEW 2019 which NI are not releasing a patch for. Our assessors have said that we have to upgrade (because their is an update, e.g. LV 2020 onwards). We ended up getting an exception agreed as we still have a lot of cRIO's which now only support 2019.

I suspect getting an exception for two CVE's may be even more of a drama