CVE-2024-30374
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code by tricking users into opening malicious KSP files in Luxion KeyShot Viewer. The flaw exists in how the software handles KSP file parsing, enabling out-of-bounds writes that can lead to remote code execution. Users of Luxion KeyShot Viewer who open untrusted KSP files are affected.
💻 Affected Systems
- Luxion KeyShot Viewer
📦 What is this software?
Keyshot by Luxion
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local privilege escalation leading to installation of malware, data exfiltration, or persistence mechanisms on the compromised system.
If Mitigated
Limited impact through application sandboxing or restricted user privileges, potentially resulting in application crash rather than full system compromise.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file) but the vulnerability itself is straightforward to trigger once the malicious file is opened.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Luxion's official security advisory for specific patched versions
Vendor Advisory: https://www.luxion.com/security/
Restart Required: Yes
Instructions:
1. Visit Luxion's official website
2. Check for security advisories related to CVE-2024-30374
3. Download and install the latest version of KeyShot Viewer
4. Restart the application and system if required
🔧 Temporary Workarounds
Disable KSP file association
allRemove or change the file association for .ksp files to prevent automatic opening in KeyShot Viewer
Windows: Use 'Default Apps' settings to change .ksp file association
macOS: Use 'Get Info' on a KSP file and change 'Open with' to a different application
Application control blocking
allUse application control solutions to block execution of KeyShot Viewer or restrict it to trusted locations
🧯 If You Can't Patch
- Implement strict user training about opening untrusted KSP files
- Deploy endpoint protection with behavioral analysis to detect exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check if KeyShot Viewer is installed and what version is running. Compare against patched versions listed in vendor advisory.Check Version:
Windows: Check 'About' in KeyShot Viewer menu or Program Files version. macOS: Check 'About KeyShot Viewer' in application menu or use 'Get Info' on application.Verify Fix Applied:
Verify installation of the latest version from Luxion's official website and confirm version number matches patched release.📡 Detection & Monitoring
Log Indicators:
- Application crashes of KeyShot Viewer
- Unusual process creation from KeyShot Viewer
- File access to suspicious KSP files
Network Indicators:
- Outbound connections from KeyShot Viewer process to unusual destinations
- DNS requests for suspicious domains following KSP file opening
SIEM Query:
Process creation where parent process is 'keyshotviewer.exe' AND (command line contains suspicious parameters OR destination IP is external AND not whitelisted)