CVE-2024-23608: 
LabVIEW vulnerability analysis and mitigation

An out-of-bounds write vulnerability (CVE-2024-23608) was discovered in NI LabVIEW software that could lead to remote code execution. The vulnerability affects LabVIEW 2024 Q1 and prior versions, including versions from 2020. The issue was disclosed and patches were released to address the security concern (NI Advisory, ZDI Advisory).

The vulnerability stems from the lack of proper validation of user-supplied data during the parsing of VI files, which can result in a write past the end of an allocated buffer. It has been assigned a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is classified as CWE-787 (Out-of-bounds Write). The vulnerability requires local access and low privileges for exploitation (ZDI Advisory, NVD).

Successful exploitation of this vulnerability could allow attackers to execute arbitrary code in the context of the current process, potentially leading to complete system compromise with the privileges of the affected process (ZDI Advisory).

NI has released patches to address this vulnerability. Users of affected versions are strongly recommended to update their software: LabVIEW 2024 users should install Q1 Patch 1 or later, LabVIEW 2023 users should install Q3 Patch 3 or later, LabVIEW 2022 users should install Q3 Patch 1 or later, and LabVIEW 2021 users should install SP1 f2 or later. These updates are available through the NI Package Manager or Software Downloads (NI Advisory).

The vulnerability was responsibly disclosed by a researcher working with Trend Micro's Zero Day Initiative, with the initial report made to the vendor on December 1, 2023, followed by a coordinated public release on March 12, 2024 (ZDI Advisory).