CVE-2024-13047
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious CO files or visiting malicious web pages. It affects Ashlar-Vellum Cobalt installations due to improper data validation during CO file parsing. Attackers can leverage this type confusion condition to run code with the privileges of the current user.
💻 Affected Systems
- Ashlar-Vellum Cobalt
📦 What is this software?
Cobalt by Ashlar
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local user account compromise leading to data exfiltration, installation of malware, or persistence mechanisms on the affected workstation.
If Mitigated
Limited impact if user has minimal privileges, application runs in sandboxed environment, or file execution is blocked by security controls.
🎯 Exploit Status
Exploitation requires user interaction. The vulnerability was discovered by Zero Day Initiative (ZDI-CAN-24843).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check with Ashlar-Vellum for specific patched versions
Vendor Advisory: https://www.zerodayinitiative.com/advisories/ZDI-24-1731/
Restart Required: Yes
Instructions:
1. Contact Ashlar-Vellum support for patch availability
2. Download and install the latest security update
3. Restart the application and any related services
4. Verify the patch is applied correctly
🔧 Temporary Workarounds
Block CO file extensions
allPrevent processing of malicious CO files by blocking the file extension at network and endpoint levels
Application sandboxing
allRun Cobalt in a restricted environment with limited privileges
🧯 If You Can't Patch
- Implement strict file type validation and blocking for CO files at email gateways and web proxies
- Educate users about the risks of opening untrusted CO files and implement application whitelisting
🔍 How to Verify
Check if Vulnerable:
Check if Ashlar-Vellum Cobalt is installed and processes CO files. Review version against vendor advisory.Check Version:
Check application 'About' menu or consult vendor documentation for version checkingVerify Fix Applied:
Verify installation of latest security patch from Ashlar-Vellum and confirm version is updated.📡 Detection & Monitoring
Log Indicators:
- Unexpected application crashes
- Suspicious file parsing errors
- Unusual process creation from Cobalt executable
Network Indicators:
- Downloads of CO files from untrusted sources
- Outbound connections from Cobalt to suspicious IPs
SIEM Query:
Process creation where parent process contains 'cobalt' AND (command line contains '.co' OR network connection to suspicious domains)