CVE-2024-5509 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2024-5509?

CVE-2024-5509 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code on Luxion KeyShot installations by tricking users into opening malicious BIP files. The flaw exists in how KeyShot loads libraries from unsecured locations during BIP file parsing. All users running vulnerable versions of KeyShot are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Luxion KeyShot installations by tricking users into opening malicious BIP files. The flaw exists in how KeyShot loads libraries from unsecured locations during BIP file parsing. All users running vulnerable versions of KeyShot are affected.

💻 Affected Systems

Products:

Luxion KeyShot

Versions: Specific versions not disclosed in references; check vendor advisory for details

Operating Systems: Windows, macOS, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All platforms running vulnerable KeyShot versions are affected. User interaction required (opening malicious BIP file).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining the same privileges as the KeyShot user, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Local privilege escalation or malware installation on the user's system when opening a malicious BIP file from email or downloads.

🟢

If Mitigated

Limited impact if user runs with minimal privileges and doesn't open untrusted files, though code execution still possible.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user to open malicious file. DLL hijacking/planting attack vector.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific fixed version

Vendor Advisory: https://www.keyshot.com/csirt/

Restart Required: Yes

Instructions:

1. Visit https://www.keyshot.com/csirt/
2. Download and install the latest KeyShot update
3. Restart KeyShot and verify version

🔧 Temporary Workarounds

Restrict BIP file handling

all

Configure system to open BIP files with alternative applications or block execution

Run with reduced privileges

all

Run KeyShot with limited user account to reduce impact

🧯 If You Can't Patch

Implement application whitelisting to prevent unauthorized executables
Educate users to never open BIP files from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check KeyShot version against vendor advisory. If using vulnerable version and opening BIP files, system is vulnerable.

Check Version:

In KeyShot: Help → About KeyShot

Verify Fix Applied:

Verify KeyShot version matches or exceeds patched version from vendor advisory

📡 Detection & Monitoring

Log Indicators:

KeyShot loading DLLs from unusual locations
Process creation from KeyShot with suspicious parent-child relationships

Network Indicators:

Outbound connections from KeyShot process to suspicious IPs

SIEM Query:

Process creation where parent process contains 'keyshot' and child process is suspicious executable

📊 Metadata

CVE ID: CVE-2024-5509

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-427

Published: June 6, 2024

Last Updated: November 21, 2024

🔗 References

https://www.keyshot.com/csirt/ Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-24-540/ Third Party Advisory,VDB Entry
https://www.keyshot.com/csirt/ Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-24-540/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5509, you might also want to check these: