Ashlar-Vellum Cobalt, Graphite, Xenon, Argon, Lithium (Update A)

Plan Patch7.8ICS-CERT ICSA-23-299-03Oct 24, 2023

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Ashlar-Vellum Cobalt, Cobalt Share, Graphite, Xenon, Argon, and Lithium contain out-of-bounds write, out-of-bounds read, and stack-based buffer overflow vulnerabilities (CWE-787, CWE-125, CWE-122) that could allow an attacker to execute arbitrary code if a user opens a malicious file. These vulnerabilities are not remotely exploitable and require user interaction to open a crafted file.

What this means

What could happen

An attacker could execute arbitrary code on engineering workstations running these design applications if a user opens a malicious file, potentially compromising the design and control logic used in industrial operations.

Who's at risk

Engineering organizations and utilities that use Ashlar-Vellum design software (Cobalt, Graphite, Xenon, Argon, Lithium) on workstations for process design, schematics, or control system configuration. This includes electrical utilities designing substation control systems, water authorities designing SCADA interfaces, and engineering firms creating industrial process designs.

How it could be exploited

An attacker creates a malicious design file (e.g., project or drawing file) and tricks a user into opening it via email or social engineering. When the vulnerable application processes the file, the buffer overflow occurs, allowing the attacker to execute code with the privileges of the application user (typically an engineer or designer).

Prerequisites

User must open a malicious file from an untrusted source
Vulnerable version of Cobalt, Cobalt Share, Graphite, Xenon, Argon, or Lithium must be installed on the workstation

No authentication required (user interaction is the vector)Low complexity attack (social engineering via email)Affects engineering workstations that interface with control systemsNo patch available for some products

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

Cobalt: <v12_SP2_Build_1204.200<v12 SP2 Build 1204.200v12 SP12 Alpha Build 1204.200

Cobalt Share: <v12_SP2_Build_1204.200<v12 SP2 Build 1204.200v12 SP12 Alpha Build 1204.200

Graphite: <=v13.0.48≤ v13.0.48v13.0.48 or later

Xenon: <v12_SP2_Build_1204.200<v12 SP2 Build 1204.200v12 SP12 Alpha Build 1204.200

Argon: <v12_SP2_Build_1204.200<v12 SP2 Build 1204.200v12 SP12 Alpha Build 1204.200

Lithium: <v12_SP2_Build_1204.200<v12 SP2 Build 1204.200v12 SP12 Alpha Build 1204.200

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDOnly open design files (.dgn, project files, or other application-native formats) from trusted, known sources

WORKAROUNDDo not click web links or open file attachments in unsolicited email messages; verify sender identity before opening files

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Cobalt, Xenon, Lithium, and Argon to v12 SP12 Alpha Build 1204.200 (released January 22, 2025)

HOTFIXUpdate Graphite to the latest available version

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate engineering workstations from production networks and untrusted networks

CVEs (4)

CVE-2023-39427 CVE-2023-39936 CVE-2023-40222 CVE-2023-39943

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fc39b609-ec31-4253-8b3d-e466f7f0aa01