CVE-2023-35714
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious IGS files in Ashlar-Vellum Cobalt software. The flaw exists in improper data validation during IGS file parsing, enabling out-of-bounds reads that can lead to remote code execution. Users of affected Ashlar-Vellum Cobalt installations are at risk.
💻 Affected Systems
- Ashlar-Vellum Cobalt
📦 What is this software?
Cobalt by Ashlar
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Attacker executes malicious code with the privileges of the current user, potentially installing malware, stealing sensitive data, or establishing persistence on the system.
If Mitigated
Limited impact with proper application sandboxing and user privilege restrictions, potentially resulting in application crash but no code execution.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file). The vulnerability is an out-of-bounds read that can lead to RCE, suggesting moderate exploit development complexity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in provided references
Vendor Advisory: https://www.zerodayinitiative.com/advisories/ZDI-23-877/
Restart Required: Yes
Instructions:
1. Check Ashlar-Vellum website for security updates. 2. Apply the latest patch for Cobalt. 3. Restart the application. 4. Verify patch installation.
🔧 Temporary Workarounds
Restrict IGS file handling
windowsConfigure system to open IGS files with alternative software or block IGS file execution in Cobalt
Windows: Use Group Policy to modify file associations
Windows: reg add HKCR\.igs /v Content Type /t REG_SZ /d text/plain /f
Application sandboxing
windowsRun Cobalt with reduced privileges using application sandboxing or containerization
Windows: RunAs /user:StandardUser "C:\Program Files\Cobalt\cobalt.exe"
🧯 If You Can't Patch
- Implement network segmentation to isolate systems running Cobalt from critical infrastructure
- Deploy application allowlisting to prevent execution of unauthorized code
🔍 How to Verify
Check if Vulnerable:
Check Cobalt version against vendor's patched version list. If unable to patch, assume vulnerable if using any version before the fix.Check Version:
Windows: Check Help > About in Cobalt application or examine installed programs in Control PanelVerify Fix Applied:
Verify Cobalt version matches or exceeds patched version specified by vendor. Test with known safe IGS files to ensure functionality.📡 Detection & Monitoring
Log Indicators:
- Unexpected application crashes of Cobalt
- Unusual process creation from cobalt.exe
- File access to IGS files from untrusted sources
Network Indicators:
- Downloads of IGS files from suspicious sources
- Outbound connections from cobalt.exe to unknown IPs
SIEM Query:
Process Creation: Parent Process contains 'cobalt' AND (Command Line contains '.igs' OR Image contains suspicious paths)