National Instruments has issued a crucial alert regarding vulnerabilities affecting its LabVIEW software, which is extensively utilized in various sectors, including critical manufacturing and defense. This advisory, shared by the Cybersecurity and Infrastructure Security Agency (CISA), underscores the importance of immediate action for users to protect their systems and data.
Stay vigilant, share any unusual activity with the appropriate authorities, and educate your teams on recognizing cybersecurity threats. By taking proactive measures, organizations can better defend their critical systems against potential exploitation.
For further details, organizations are encouraged to review the full security bulletin provided by National Instruments and CISA.
Source: CISA National Instruments LabVIEW
Executive Summary
- Severity Rating: CVSS v4 score of 8.5—a critical alert for users.
- Attack Complexity: Low, making exploitation more feasible for potential attackers.
- Affected Vendor: National Instruments, specifically targeting LabVIEW.
- Type of Vulnerabilities: Multiple out-of-bounds read vulnerabilities that could lead to serious breaches.
Risk Evaluation
The vulnerabilities in LabVIEW can lead to unauthorized information disclosure and potentially allow attackers to execute arbitrary code on vulnerable systems. This scenario is particularly alarming as it poses significant risks to organizations relying on LabVIEW for critical applications across various industries.Technical Details
Affected Products
The following versions of LabVIEW are reported to be impacted:- LabVIEW 2024: Versions Q3 (24.3f0) and prior.
- LabVIEW 2023: All versions.
- LabVIEW 2022: All versions.
- LabVIEW 2021: All versions (End of Life).
Vulnerability Overview
The vulnerabilities are primarily classified as out-of-bounds read (CWE-125), which implies that the software is trying to read memory outside its allocated range, leading to potential exposure of sensitive information. Notable vulnerabilities include:- HeapObjMapImpl Function:
- CVE-2024-10494: CVSS v3.1 base score of 7.8; CVSS v4 score of 8.5.
- CVE-2024-10495: CVSS v3.1 base score of 7.8; CVSS v4 score of 8.5.
- CVE-2024-10496: CVSS v3.1 base score of 7.8; CVSS v4 score of 8.5.
Background Information
The vulnerabilities affect critical infrastructure sectors, including:- Critical Manufacturing
- Defense Industrial Base
- Information Technology
- Transportation Systems
Mitigations
To defend against these vulnerabilities, National Instruments recommends updating to the following versions:- LabVIEW 2024: Upgrade to Q3 Patch 2 or later via the NI Package Manager.
- LabVIEW 2023: Upgrade to Q3 Patch 5 or later.
- LabVIEW 2022: Upgrade to Q3 Patch 4 or later.
- LabVIEW 2021 and earlier: No support; consider transitioning to supported versions.
- Minimize network exposure for all devices to avoid external access.
- Isolate control system networks behind firewalls.
- Employ secure remote access via VPNs, keeping in mind that VPN security depends on device security as well.
Final Thoughts
In an age where cyber threats loom large and ever-evolving, organizations utilizing LabVIEW must prioritize security updates and mitigations. While no active exploitation has been reported against these vulnerabilities, the potential risks associated with them could lead to devastating consequences if not addressed promptly.Stay vigilant, share any unusual activity with the appropriate authorities, and educate your teams on recognizing cybersecurity threats. By taking proactive measures, organizations can better defend their critical systems against potential exploitation.
For further details, organizations are encouraged to review the full security bulletin provided by National Instruments and CISA.
Source: CISA National Instruments LabVIEW