CVE-2024-5507
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on systems running vulnerable versions of Luxion KeyShot Viewer. Attackers can exploit it by tricking users into opening malicious KSP files or visiting malicious web pages. Users of Luxion KeyShot Viewer are affected.
💻 Affected Systems
- Luxion KeyShot Viewer
📦 What is this software?
Keyshot by Luxion
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local privilege escalation leading to installation of malware, data exfiltration, or persistence mechanisms on the compromised system.
If Mitigated
Limited impact with proper application sandboxing and user privilege restrictions, potentially resulting in application crash rather than code execution.
🎯 Exploit Status
User interaction required (opening malicious file). Stack-based buffer overflow typically allows reliable exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched version
Vendor Advisory: https://www.keyshot.com/csirt/
Restart Required: Yes
Instructions:
1. Visit https://www.keyshot.com/csirt/
2. Download and install the latest version of KeyShot Viewer
3. Restart the application
🔧 Temporary Workarounds
Disable KSP file association
allRemove or modify file associations to prevent automatic opening of KSP files with KeyShot Viewer
Windows: Use 'Default Apps' settings to change KSP file association
macOS: Use 'Get Info' on KSP files to change default application
Application sandboxing
allRun KeyShot Viewer in restricted environment to limit potential damage
Windows: Use Windows Sandbox or AppLocker
macOS: Use sandbox-exec or Gatekeeper
🧯 If You Can't Patch
- Implement strict network segmentation to isolate systems running KeyShot Viewer
- Deploy application whitelisting to prevent execution of unauthorized code
🔍 How to Verify
Check if Vulnerable:
Check KeyShot Viewer version against vendor advisory. If using vulnerable version and can open KSP files, system is vulnerable.Check Version:
Windows: Check Help > About in KeyShot Viewer
macOS: Check KeyShot Viewer > About KeyShot ViewerVerify Fix Applied:
Verify installed version matches or exceeds patched version specified in vendor advisory📡 Detection & Monitoring
Log Indicators:
- Application crashes with stack overflow errors
- Unexpected child processes spawned from KeyShot Viewer
- Network connections from KeyShot Viewer to suspicious IPs
Network Indicators:
- Outbound connections from KeyShot Viewer to unknown external IPs
- DNS requests for suspicious domains from systems running KeyShot Viewer
SIEM Query:
process_name:"KeyShot Viewer" AND (event_type:crash OR parent_process:"KeyShot Viewer")