CVE-2023-42105
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Ashlar-Vellum Cobalt installations by tricking users into opening malicious AR files or visiting malicious web pages. The flaw exists in AR file parsing where improper data validation leads to type confusion, enabling code execution in the current process context. Users of Ashlar-Vellum Cobalt software are affected.
💻 Affected Systems
- Ashlar-Vellum Cobalt
📦 What is this software?
Cobalt by Ashlar
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining the same privileges as the user running Cobalt, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Malware installation or data exfiltration from the compromised system, with impact limited to the user's privileges and system access.
If Mitigated
Limited impact with proper application sandboxing and user privilege restrictions, potentially only affecting the application process.
🎯 Exploit Status
Exploitation requires user interaction but no authentication. The vulnerability was discovered by ZDI (ZDI-CAN-20562) and detailed in their advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in available references
Vendor Advisory: https://www.zerodayinitiative.com/advisories/ZDI-23-1454/
Restart Required: Yes
Instructions:
1. Check Ashlar-Vellum website for security updates. 2. Download and install the latest version of Cobalt. 3. Restart the application and any related services.
🔧 Temporary Workarounds
Disable AR file association
allPrevent Cobalt from automatically opening AR files by changing file associations in the operating system.
Windows: Use 'Default Apps' settings to change .ar file association
macOS: Use 'Get Info' on .ar files to change 'Open With' setting
User education and restrictions
allTrain users not to open AR files from untrusted sources and implement application control policies.
🧯 If You Can't Patch
- Implement application sandboxing or run Cobalt with minimal user privileges
- Use network segmentation to isolate systems running vulnerable Cobalt versions
🔍 How to Verify
Check if Vulnerable:
Check Cobalt version against vendor patched versions. If unable to determine, assume vulnerable if using any version prior to the security update.Check Version:
Windows: Check 'About' in Cobalt application menu; macOS: Check 'Cobalt > About Cobalt' in menu barVerify Fix Applied:
Verify installation of latest Cobalt version from vendor and confirm AR files open without issues.📡 Detection & Monitoring
Log Indicators:
- Unexpected process creation from Cobalt executable
- Cobalt crash logs with memory access violations
Network Indicators:
- Outbound connections from Cobalt process to unknown IPs post-file opening
SIEM Query:
Process creation where parent_process contains 'cobalt' AND (command_line contains '.ar' OR image_path contains suspicious locations)