CVE-2024-23610: 
LabVIEW vulnerability analysis and mitigation

An out-of-bounds write vulnerability (CVE-2024-23610) was discovered in NI LabVIEW software that could lead to remote code execution. The vulnerability affects LabVIEW 2024 Q1 and prior versions, requiring user interaction where an attacker needs to provide a specially crafted VI file to the target (NI Security, ZDI Advisory).

The vulnerability stems from improper validation of user-supplied data during the parsing of VI files, which can result in a write past the end of an allocated buffer. The vulnerability has been assigned a CVSS score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity with local attack vector requirements and user interaction needed for exploitation (ZDI Advisory).

Successful exploitation of this vulnerability could allow attackers to execute arbitrary code in the context of the current process, potentially leading to complete system compromise (ZDI Advisory).

NI has released patches to address this vulnerability. Users of affected versions are strongly recommended to update their software. For LabVIEW 2024, users should install LabVIEW 2024 Q1 Patch 1 or later. For LabVIEW 2023, install LabVIEW 2023 Q3 Patch 3 or later. For LabVIEW 2022, install LabVIEW 2022 Q3 Patch 1 or later, and for LabVIEW 2021, install LabVIEW 2021 SP1 f2 or later (NI Security).