CVE-2023-35710
📋 TL;DR
A stack-based buffer overflow vulnerability in Ashlar-Vellum Cobalt allows remote attackers to execute arbitrary code when users open malicious CO files or visit malicious web pages. This affects all installations of Ashlar-Vellum Cobalt that process CO files. The vulnerability requires user interaction but can lead to complete system compromise.
💻 Affected Systems
- Ashlar-Vellum Cobalt
📦 What is this software?
Cobalt by Ashlar
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with attacker gaining the same privileges as the current user, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local privilege escalation leading to unauthorized access to sensitive files and system resources, with potential for persistence mechanisms installation.
If Mitigated
Limited impact with application crash or denial of service if exploit attempts are blocked by security controls.
🎯 Exploit Status
Exploitation requires user interaction but the vulnerability is in a widely used file format parser. ZDI has published details but no public exploit code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched version
Vendor Advisory: https://www.zerodayinitiative.com/advisories/ZDI-23-873/
Restart Required: Yes
Instructions:
1. Check Ashlar-Vellum website for security updates. 2. Download and install the latest version of Cobalt. 3. Restart the application. 4. Verify the patch is applied.
🔧 Temporary Workarounds
Block CO file extensions
allPrevent processing of CO files at the network or endpoint level
Windows: Use Group Policy to block .co file execution
Email filtering: Block .co attachments
Application sandboxing
allRun Cobalt in restricted environment to limit exploit impact
Windows: Use AppLocker to restrict Cobalt
macOS: Use sandbox-exec
Linux: Use SELinux/AppArmor policies
🧯 If You Can't Patch
- Implement strict email filtering to block CO file attachments
- Use application whitelisting to prevent unauthorized execution and restrict Cobalt's network access
🔍 How to Verify
Check if Vulnerable:
Check Cobalt version against vendor advisory. If using unpatched version and processing CO files, system is vulnerable.Check Version:
Windows: Check Help > About in Cobalt GUI. Command line varies by OS installation.Verify Fix Applied:
Verify Cobalt version matches patched version from vendor advisory. Test with known safe CO files to ensure functionality.📡 Detection & Monitoring
Log Indicators:
- Application crashes when processing CO files
- Unusual process spawning from Cobalt
- Memory access violations in application logs
Network Indicators:
- Downloads of CO files from untrusted sources
- Outbound connections from Cobalt to suspicious IPs
SIEM Query:
Process creation where parent process is Cobalt AND (command line contains suspicious patterns OR destination IP is external)