CVE-2023-35958
📋 TL;DR
CVE-2023-35958 is a heap-based buffer overflow vulnerability in GTKWave's FST file parser that allows arbitrary code execution when a user opens a malicious .fst file. This affects users of GTKWave 3.3.115 who process untrusted waveform data files. The vulnerability resides in the fstReaderIterBlocks2 function's VCDATA parsing via the fstFread copy function.
💻 Affected Systems
- GTKWave
📦 What is this software?
Gtkwave by Tonybybell
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining the same privileges as the user running GTKWave, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Local privilege escalation or arbitrary code execution in the context of the user opening the malicious file, potentially compromising sensitive engineering data.
If Mitigated
Denial of service (crash) if exploit fails or is detected by security controls.
🎯 Exploit Status
Exploitation requires user interaction to open malicious file. Talos Intelligence has published detailed analysis and proof-of-concept.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 3.3.115 (check for updates from GTKWave repository)
Vendor Advisory: https://lists.debian.org/debian-lts-announce/2024/04/msg00007.html
Restart Required: No
Instructions:
1. Check current GTKWave version. 2. Update to latest version from official GTKWave repository or package manager. 3. Verify update by checking version and testing with known safe .fst files.
🔧 Temporary Workarounds
Restrict .fst file processing
allLimit GTKWave to only process .fst files from trusted sources using file access controls.
Run with reduced privileges
linuxExecute GTKWave with limited user privileges to minimize impact if exploitation occurs.
sudo -u lowprivuser gtkwave
🧯 If You Can't Patch
- Isolate GTKWave usage to dedicated systems with no sensitive data or network access
- Implement application whitelisting to prevent execution of unexpected processes from GTKWave
🔍 How to Verify
Check if Vulnerable:
Check GTKWave version: 'gtkwave --version' or 'dpkg -l | grep gtkwave' on Debian/UbuntuCheck Version:
gtkwave --version 2>/dev/null || echo "Check package manager for version"Verify Fix Applied:
Confirm version is newer than 3.3.115 and test with sample .fst files from trusted sources📡 Detection & Monitoring
Log Indicators:
- GTKWave crashes with segmentation faults
- Unexpected child processes spawned from GTKWave
Network Indicators:
- Unusual outbound connections from GTKWave process
SIEM Query:
Process creation where parent_process contains 'gtkwave' AND (process_name not in ['gtkwave', 'sh', 'bash'])🔗 References
- https://lists.debian.org/debian-lts-announce/2024/04/msg00007.html
- https://talosintelligence.com/vulnerability_reports/TALOS-2023-1785
- https://lists.debian.org/debian-lts-announce/2024/04/msg00007.html
- https://talosintelligence.com/vulnerability_reports/TALOS-2023-1785
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1785
