CVE-2023-35716
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious AR files in Ashlar-Vellum Cobalt. Attackers can exploit improper buffer validation during AR file parsing to read beyond allocated memory boundaries and gain code execution. Users of affected Ashlar-Vellum Cobalt installations are at risk.
💻 Affected Systems
- Ashlar-Vellum Cobalt
📦 What is this software?
Cobalt by Ashlar
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Attacker executes code in the context of the current user, potentially installing malware, stealing sensitive data, or establishing persistence on the system.
If Mitigated
Limited impact due to proper application sandboxing, least privilege execution, and network segmentation preventing lateral movement.
🎯 Exploit Status
Exploitation requires user interaction but leverages common memory corruption techniques; ZDI advisory suggests active exploitation potential
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Specific version not provided in references; check vendor advisory
Vendor Advisory: https://www.zerodayinitiative.com/advisories/ZDI-23-879/
Restart Required: Yes
Instructions:
1. Check Ashlar-Vellum website for security updates
2. Download and install latest Cobalt version
3. Restart application and verify patch installation
🔧 Temporary Workarounds
Restrict AR file handling
allBlock or restrict AR file extensions at network perimeter and endpoint
Application sandboxing
allRun Cobalt with reduced privileges and in isolated environment
🧯 If You Can't Patch
- Implement strict file type filtering for AR files at email gateways and web proxies
- Educate users about risks of opening untrusted AR files and implement application whitelisting
🔍 How to Verify
Check if Vulnerable:
Check Cobalt version against vendor's patched version list; if running unpatched version, assume vulnerableCheck Version:
Check application 'About' menu or consult vendor documentationVerify Fix Applied:
Verify installed version matches or exceeds vendor's patched version📡 Detection & Monitoring
Log Indicators:
- Unexpected process crashes of Cobalt application
- Unusual file access patterns for AR files
- Suspicious child processes spawned from Cobalt
Network Indicators:
- Downloads of AR files from untrusted sources
- Outbound connections from Cobalt to suspicious IPs
SIEM Query:
Process creation where parent process contains 'cobalt' AND (command line contains '.ar' OR file path contains '.ar')