Using LabVIEW? Unpatched Flaw Allows Hackers to Hijack Your Computer
If
you're an engineer and use LabVIEW software to design machines or industrial
equipments, you should be very suspicious while opening any VI (virtual
instrument) file.
LabVIEW, developed by American company National Instruments, is a visual programming language and powerful system-design tool that is being used worldwide in hundreds of fields and provides engineers with a simple environment to build measurement or control systems
Security researchers from Cisco's Talos Security Intelligence have discovered a critical vulnerability in LabVIEW software that could allow attackers to execute malicious code on a target computer, giving them full control of the system.
LabVIEW, developed by American company National Instruments, is a visual programming language and powerful system-design tool that is being used worldwide in hundreds of fields and provides engineers with a simple environment to build measurement or control systems
Security researchers from Cisco's Talos Security Intelligence have discovered a critical vulnerability in LabVIEW software that could allow attackers to execute malicious code on a target computer, giving them full control of the system.
Identified as CVE-2017-2779, the code execution vulnerability could be triggered by opening a specially crafted VI file, a proprietary file format used by LabVIEW.
The vulnerability originates because of memory corruption issue in the RSRC segment parsing functionality of LabVIEW.
Modulating the values within the RSRC segment of a VI file causes a controlled looping condition, which results in an arbitrary null write.
"A specially crafted
LabVIEW virtual instrument file (with the *.vi extension) can cause an attacker
controlled looping condition resulting in an arbitrary null write," Talos
researchers explain.
"An attacker controlled VI
file can be used to trigger this vulnerability and can potentially result in
code execution."
Talos
researchers have successfully tested the vulnerability on LabVIEW 2016 version
16.0, but National Instruments has refused to consider this issue as a
vulnerability in their product and had no plans to release any patch to address
the flaw.
However, the issue should not be ignored, because the threat vector is almost similar to many previously disclosed Microsoft Office vulnerabilities, in which victims got compromised after opening malicious MS Word file received via an email or downloaded from the Internet.
"The consequences of a
successful compromise of a system that interacts with the physical world, such
as a data acquisition and control systems, may be critical to safety," the
researchers write.
"Organisations that deploy
such systems, even as pilot projects, should be aware of the risk posed by
vulnerabilities such as these and adequately protect systems."
Since
there is no patch available, the LabVIEW users are left with only one option—be
very careful while opening any VI file you receive via an email.
For more technical details about the vulnerability, you can head on to Cisco Talos' advisory.
For more technical details about the vulnerability, you can head on to Cisco Talos' advisory.
Using LabVIEW? Unpatched Flaw Allows Hackers to Hijack Your Computer
Reviewed by Video Sharing
on
August 29, 2017
Rating:
Reviewed by Video Sharing
on
August 29, 2017
Rating:
No comments