CVE-2023-34299 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2023-34299?

CVE-2023-34299 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious CO files in Ashlar-Vellum Cobalt. Attackers can exploit a heap buffer overflow during CO file parsing to gain control of the affected process. Users of Ashlar-Vellum Cobalt who open untrusted CO files are at risk.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious CO files in Ashlar-Vellum Cobalt. Attackers can exploit a heap buffer overflow during CO file parsing to gain control of the affected process. Users of Ashlar-Vellum Cobalt who open untrusted CO files are at risk.

💻 Affected Systems

Products:

Ashlar-Vellum Cobalt

Versions: All versions prior to patch

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the CO file parsing component; any installation that processes CO files is vulnerable.

📦 What is this software?

Cobalt by Ashlar

View all CVEs affecting Cobalt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Local privilege escalation or malware execution in the context of the current user, potentially leading to data exfiltration or further system compromise.

🟢

If Mitigated

Limited impact with proper application sandboxing and user privilege restrictions, potentially resulting in application crash rather than code execution.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction (opening malicious file) and knowledge of heap manipulation techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific patched version

Vendor Advisory: https://www.zerodayinitiative.com/advisories/ZDI-23-859/

Restart Required: Yes

Instructions:

1. Check current Cobalt version
2. Download latest update from Ashlar-Vellum
3. Install update following vendor instructions
4. Restart system if required

🔧 Temporary Workarounds

Disable CO file association

all

Remove CO file type association with Cobalt to prevent automatic opening

Windows: assoc .co=
macOS: Remove CO file association in Finder preferences

Application sandboxing

all

Run Cobalt with reduced privileges using application sandboxing

Windows: RunAs with limited user account
macOS: Use sandbox-exec or similar

🧯 If You Can't Patch

Implement strict file validation policies to block untrusted CO files
Use application whitelisting to prevent execution of malicious payloads

🔍 How to Verify

Check if Vulnerable:

Check if Cobalt version is unpatched and processes CO files

Check Version:

Check Help > About in Cobalt application

Verify Fix Applied:

Verify installation of latest Cobalt version from vendor

📡 Detection & Monitoring

Log Indicators:

Application crashes when processing CO files
Unusual process spawning from Cobalt

Network Indicators:

Outbound connections from Cobalt to unknown IPs
Unexpected network traffic following CO file opening

SIEM Query:

Process:Name='Cobalt' AND (EventID=1000 OR ParentProcess contains 'exploit')

📊 Metadata

CVE ID: CVE-2023-34299

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-122

Published: May 3, 2024

Last Updated: August 8, 2025

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-23-859/ Third Party Advisory
https://www.zerodayinitiative.com/advisories/ZDI-23-859/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-34299, you might also want to check these: