The National Instruments (NI) LabVIEW software installed on remote Windows hosts is affected by several critical vulnerabilities. These issues are present in LabVIEW 2024 Q1 and earlier versions, and they could potentially lead to significant security risks. The vulnerabilities include an out-of-bounds read and memory corruption problems, both of which could be exploited to disclose sensitive information or execute arbitrary code. Specifically, CVE-2024-4079, CVE-2024-4080, and CVE-2024-4081 have been identified as major concerns, each tied to specific flaws in handling crafted VI files.
The first vulnerability, CVE-2024-4079, results from a missing bounds check, which may allow unauthorized information disclosure or arbitrary code execution if a specially crafted VI is processed. Similarly, CVE-2024-4080 involves improper length checks in the tdcore.dll component of LabVIEW, which could also lead to memory corruption and potential exploitation. Both issues underscore the importance of addressing software vulnerabilities that arise from inadequate input validation and bounds checking.
CVE-2024-4081 highlights a separate memory corruption vulnerability due to improper length checks in the LabVIEW application itself. Successful exploitation of these vulnerabilities requires an attacker to deliver a specifically crafted VI file to a user, which then compromises the security of the LabVIEW environment. This vulnerability, alongside the others, indicates that comprehensive security measures and timely updates are essential to safeguarding against such threats.
To mitigate these risks, users are advised to upgrade to the latest version of NI LabVIEW as recommended in the vendor’s advisory. The updates are designed to address these vulnerabilities and enhance the overall security posture of the software. As Nessus has not yet tested for these issues, reliance on the vendor’s guidance and patching practices remains crucial for maintaining system integrity and security.