CVE-2023-34293
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Ashlar-Vellum Cobalt installations by tricking users into opening malicious X_B or X_T files. The flaw exists in improper data validation during file parsing, leading to an out-of-bounds write that can be exploited for code execution. Users of affected Ashlar-Vellum Cobalt software are at risk.
💻 Affected Systems
- Ashlar-Vellum Cobalt
📦 What is this software?
Cobalt by Ashlar
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Attacker executes malicious code in the context of the current user, potentially installing malware, stealing sensitive data, or establishing persistence on the system.
If Mitigated
Limited impact due to proper security controls like application sandboxing, limited user privileges, and network segmentation preventing lateral movement.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file). The vulnerability is in file parsing logic, making reliable exploitation dependent on specific memory layout conditions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in provided references
Vendor Advisory: https://www.zerodayinitiative.com/advisories/ZDI-23-831/
Restart Required: Yes
Instructions:
1. Check Ashlar-Vellum website for security updates. 2. Download and install the latest patch. 3. Restart the application and any affected services. 4. Verify the patch is applied correctly.
🔧 Temporary Workarounds
Restrict File Types
windowsBlock or restrict opening of X_B and X_T file types through application settings or group policy
User Awareness Training
allTrain users to only open files from trusted sources and to be cautious with unexpected file attachments
🧯 If You Can't Patch
- Implement application whitelisting to prevent unauthorized execution of Cobalt or related processes
- Run Cobalt with reduced privileges using application sandboxing or limited user accounts
🔍 How to Verify
Check if Vulnerable:
Check if Ashlar-Vellum Cobalt is installed and what version is running. Review if X_B/X_T file parsing functionality is enabled.Check Version:
Check application 'About' dialog or installation directory for version informationVerify Fix Applied:
Verify the installed version matches or exceeds the patched version from vendor advisory. Test with known safe X_B/X_T files to ensure proper parsing.📡 Detection & Monitoring
Log Indicators:
- Unexpected application crashes when opening CAD files
- Suspicious process creation from Cobalt executable
- Multiple failed file parsing attempts
Network Indicators:
- Unusual outbound connections from Cobalt process
- File downloads from untrusted sources followed by Cobalt execution
SIEM Query:
Process Creation where Image contains 'cobalt' AND Parent Process is not expected CAD workflow