HelpSystems Patch Falls Short, RCE Vulnerability in Cobalt Strike Remains
A remote code execution (RCE) vulnerability has been discovered in Cobalt Strike software, potentially allowing threat actors to take control of targeted systems.
At a basic level, Cobalt Strike is a red-team framework primarily used for adversary simulation. It comprises a team server that functions as a command-and-control (C2) component and a beacon (malware tool) to create a connection to the team server and drop next-stage payloads.
The new flaw (tracked CVE-2022-42948) affects Cobalt Strike version 4.7.1 and derives from an incomplete patch released by HelpSystems on September 20, 2022, to rectify a cross-site scripting (XSS) vulnerability (CVE-2022-39197) that could lead to RCE attacks.
According to a new advisory by the IBM-sponsored Security Intelligence team, the XSS vulnerability could be triggered in one of three ways: by manipulating client-side UI input fields, simulating a Cobalt Strike implant check-in or hooking a Cobalt Strike implant running on a host.
Despite the patch released by HelpSystems last month, the first of these three methods has not been fully patched, as described by the IBM advisory.
Addressing the new flaw in a blog post published on Monday, Greg Darwin, software development manager at HelpSystems, clarified that RCE could be triggered in specific cases using the Java Swing framework, the graphical user interface (GUI) toolkit behind Cobalt Strike.
“Certain components within Java Swing will automatically interpret any text as HTML content if it starts with < html >,” Darwin explained. “Disabling automatic parsing of HTML tags across the entire client was enough to mitigate this behavior.”
At the same time, the security expert clarified that the vulnerability is not specific to Cobalt Strike, which is why the company has not submitted a new CVE to cover it.
“The underlying vulnerability can be found in Java Swing and can be exploited in any Java Swing GUI that renders HTML, not just Cobalt Strike.”
That being said, Darwin also apologized for releasing two out-of-band updates in a matter of weeks.
“We apologize for any problems these issues may have caused,” he added. “Licensed users can run the update program to get this version or download version 4.7.2 from scratch from the website. We recommend taking a copy of your existing Cobalt Strike folder before upgrading in case you need to revert to the previous version.”
The software company was also under the spotlight last month when Cisco Talos unveiled a malicious campaign relying on Cobalt Strike beacons and using them in follow-on attacks.