CVE-2017-2779 - An exploitable memory corruption vulnerability exists in the RSRC segment parsing functionality of L

CVE-2017-2779

Summary

An exploitable memory corruption vulnerability exists in the RSRC segment parsing functionality of LabVIEW 2017, LabVIEW 2016, LabVIEW 2015, and LabVIEW 2014. A specially crafted Virtual Instrument (VI) file can cause an attacker controlled looping condition resulting in an arbitrary null write. An attacker controlled VI file can be used to trigger this vulnerability and can potentially result in code execution.

References

Vulnerable Configurations

cpe:2.3:a:ni:labview:2017:*:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2017:*:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2015:*:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2015:*:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2014:*:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2014:*:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2016:*:*:*:*:*:*:*
cpe:2.3:a:ni:labview:2016:*:*:*:*:*:*:*

CVSS

Base:	6.8 (as of 19-04-2022 - 19:15)
Impact:
Exploitability:

CWE

CWE-787

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:P/A:P

refmap via4

bid	100519
confirm	http://www.ni.com/product-documentation/54099/en/
misc	https://0patch.blogspot.com/2017/09/0patching-rsrc-arbitrary-null-write.html https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0273

Last major update

19-04-2022 - 19:15

Published

05-09-2017 - 18:29

Last modified

19-04-2022 - 19:15