Ashlar-Vellum Cobalt, Graphite, Xenon, Argon, and Lithium Vulnerability

By Arthur Yamamoto on November 1, 2023

Executive Summary

On Thursday, October 26, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) released an industrial control system advisory (ICSA-23-299-03) regarding two vulnerabilities for Ashlar-Vellum’s 3D modeling software Cobalt, Graphite, Xenon, Argon, and Lithium. Michael Heinzl, a cyber security researcher specializing in vulnerability research and exploit development, notified CISA about the vulnerabilities. The group of 3D modeling software mentioned is a part of Ashlar-Vellum’s drafting, modeling, and printing software. It allows for creative work while being reasonably easy to use from the user’s perspective. The vulnerabilities that were found, if exploited, could allow an attacker to execute arbitrary code, which means an attacker would have the ability to run any commands or code of choice on a target machine or a target process.

Background

On Thursday, October 26, 2023, cyber security researcher Michael Heinzl reported two vulnerabilities to CISA which involved Ashlar-Vellum’s 3D modeling software: 

  • Cobalt: v12 SP0 Build (1204.77) and prior
  • Graphite: v13.0.48 and prior
  • Xenon: v12 SP0 Build (1204.77) and prior
  • Argon: v12 SP0 Build (1204.77) and prior
  • Lithium: v12 SP0 Build (1204.77) and prior

Both exposures were classified as out-of-bounds write and out-of-bounds read. They were both assigned a common vulnerabilities and exposures (CVE) number, CVE-2023-39427 and CVE-2023-39936. The out-of-bounds write vulnerability affects Cobalt, Xenon, Argon, Lithium, and Cobalt Share v12 SP0 Build (1204.77), while the out-of-bounds read only affects Graphite v13.0.48

 

Vulnerabilities

The two vulnerabilities mentioned have relatively the same impact on the systems that are using the software. Starting with CVE-2023-39427 out-of-bounds write. When processing XE files, the impacted software fails to validate user-supplied data. This results in an out-of-bounds write. Out-of-bounds writes occur when software affects memory in ways it is not designed to, such as adding data to a memory buffer and overshooting the end of that buffer. An attacker might exploit this flaw to run arbitrary code in the context of the current process. 

CVE-2023-39936 describes an out-of-bounds read. In Graphite v13.0.48., when processing VC6 files, there is again no sufficient validation of user-supplied data. This results in an out-of-bounds read. This memory access error happens when a program reads data from a memory address that is outside the confines of a buffer. As a result, the software may read data it does not own. An attacker can exploit this flaw to run arbitrary code once again. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

 

Significance

Arbitrary code execution allows an attacker to run commands that a standard user would not be able to and could potentially open the door to privilege escalation. Successful exploitation could give the attacker system-level access to the device that the software is on and the ability to do significant damage to the organization and possibly its assets as well. Ashlar-Vellum recommends users apply the following mitigations to help reduce risk:

  • Install the latest version of Graphite
  • Cobalt, Xenon, Lithium, and Argon share update v12 Build (1204.78).
  • Only open files from trusted sources.

CISA reminds organizations to perform proper impact analysis and risk assessment before deploying defensive measures. CISA also recommends users take the following measures to protect themselves from social engineering attacks:

  • Do not click web links or open attachments in unsolicited email messages.
  • Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
  • Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
 

References

Ashlar-vellum cobalt, graphite, xenon, argon, lithium: Cisa. Cybersecurity and Infrastructure Security Agency CISA. (2023, October 26). https://www.cisa.gov/news-events/ics-advisories/icsa-23-299-03 

CVE-2023-39427 Detail. NVD. (2023a, October 26). https://nvd.nist.gov/vuln/detail/CVE-2023-39427 

CVE-2023-39936 Detail. NVD. (2023b, October 26). https://nvd.nist.gov/vuln/detail/CVE-2023-39936 

GeeksforGeeks. (2022, August 26). What is arbitrary code execution?. GeeksforGeeks. https://www.geeksforgeeks.org/what-is-arbitrary-code-execution/ 

KL, A. (2023, October 23). What is arbitrary code execution? how to prevent arbitrary code execution?. The Sec Master. https://thesecmaster.com/what-is-arbitrary-code-execution/

Multiple vulnerabilities in Ashlar-vellum cobalt, graphite, xenon, argon, lithium. Vulnerability Intelligence by CyberSecurity Help s.r.o. (2023, October 26). https://www.cybersecurity-help.cz/vdb/SB2023102723

Related Posts