CVE-2024-11579
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious OBJ files in Luxion KeyShot. The flaw exists in OBJ file parsing where improper data validation leads to buffer overflow. All users of affected KeyShot versions are at risk.
💻 Affected Systems
- Luxion KeyShot
📦 What is this software?
Keyshot by Luxion
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the victim's computer, potentially leading to data theft, ransomware deployment, or lateral movement within networks.
Likely Case
Local privilege escalation leading to malware installation, data exfiltration, or persistence mechanisms being established on the victim's system.
If Mitigated
Limited impact with proper application sandboxing and user privilege restrictions, potentially resulting in application crash rather than code execution.
🎯 Exploit Status
Exploitation requires user interaction but weaponization is likely given the nature of file format vulnerabilities. ZDI has confirmed the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: KeyShot 2024.1
Vendor Advisory: https://download.keyshot.com/cert/ksa-655925/ksa-655925.pdf
Restart Required: Yes
Instructions:
1. Download KeyShot 2024.1 or later from official Luxion website
2. Run the installer and follow upgrade prompts
3. Restart KeyShot after installation completes
🔧 Temporary Workarounds
Disable OBJ file association
allRemove OBJ file type association with KeyShot to prevent automatic opening
Windows: Control Panel > Default Programs > Associate a file type or protocol with a program > Remove .obj association with KeyShot
macOS: Right-click OBJ file > Get Info > Open With > Change to different application
Application sandboxing
allRun KeyShot in restricted environment to limit potential damage
Windows: Use Windows Sandbox or AppLocker rules
macOS: Use macOS Sandboxing features
🧯 If You Can't Patch
- Implement strict file validation policies to block OBJ files from untrusted sources
- Run KeyShot with minimal user privileges and in isolated environments
🔍 How to Verify
Check if Vulnerable:
Check KeyShot version in Help > About. If version is earlier than 2024.1, system is vulnerable.Check Version:
KeyShot: Help > About menu shows versionVerify Fix Applied:
Verify version shows 2024.1 or later in Help > About. Test opening known safe OBJ files to ensure functionality.📡 Detection & Monitoring
Log Indicators:
- KeyShot crash logs with memory access violations
- Unexpected process creation from KeyShot executable
- OBJ file parsing errors in application logs
Network Indicators:
- Unexpected outbound connections from KeyShot process
- Downloads of OBJ files from untrusted sources
SIEM Query:
process_name:"KeyShot.exe" AND (event_type:crash OR parent_process:unexpected)