Connect with us
Categories:
X

Technology

Cobalt Strike’s failed patch has a hidden RCE vulnerability

Published

on

Cobalt Strike's failed patch has a hidden RCE vulnerability
Share this post:

The team behind the Cobalt Strike penetration testing tool has responded to reports of a failed remote code execution (RCE) exploit patch with a new fix.

HelpSystems’ Cobalt Strike enables cybersecurity professionals to simulate attacks with post-exploit agents and is arguably the most popular threat emulation software of its type.

However, the source code of old versions of the licensed software is subject to leaks – the latest of which reportedly took place in 2020.

As a result, Cobalt Strike often surfaces within the arsenal of sophisticated threat actors who use the software to set up command and control (C2) beacons for illicit communication.

Failed fix

Given the importance of this tool and how red teams worldwide rely on Cobalt Strike for their research and cybersecurity audits, the details of the failed patch were kept private until a fix could be released.

On October 17, Rio Sherri, managing security consultant of IBM’s X-Force Red Adversary Simulation team, revealed in a blog post that a patch designed to resolve a known RCE vulnerability had failed.

The vulnerability, tracked as CVE-2022-39197 and issued a CVSS severity score of 6.1, is a cross-site scripting (XSS) issue that allowed remote attackers to execute code without permission on the Cobalt Strike teamserver.

It was possible to trigger the bug by inspecting a Cobalt Strike v.4.7 payload and modifying the username field. Alternatively, an intruder could create a new, malicious payload using the extracted information.

A researcher with the pseudonym ‘Beichendream’ privately reported the original security flaw.

HelpSystems published an out-of-band patch for the RCE on September 20. The Cobalt Strike 4.7.1 release added a new property to the teamserver file, which “specifies whether XSS validation is performed on selected Beacon metadata,” according to HelpSystems.

However, after IBM researchers Sherri and Ruben Boonen examined the patch, it transpired that the 4.7.1 update was “insufficient to mitigate the impact of the vulnerability”.

If an attacker created Java Swing components, the researchers found, it was possible to circumvent the fix and create arbitrary Java objects in class paths, as Java Swing will interpret any text as HTML content as long as it begins with an HTML tag. Object tags could then load a malicious payload from the server, which a Cobalt Strike client would subsequently deploy.

Second patch

IBM X-Force notified HelpSystems of its findings privately and requested a new CVE, CVE-2022-42948. The researchers also assisted Cobalt Strike developers in creating a bulletproof patch.

The vulnerability has been resolved in Cobalt Strike v. 4.7.2 via a second out-of-band patch. HelpSystems thanked IBM, noting that the circumvention was caused by the Cobalt Strike interface being built on the Java Swing framework.

While IBM requested a new CVE, HelpSystems did not, noting that the underlying issue is in Java Swing rather than Cobalt Strike as a standalone application.

“We felt that there were parallels between this and the recent log4j vulnerability – thousands of applications that used log4j were vulnerable and yet there aren’t CVEs to cover every single vulnerable application,” commented Greg Darwin, Cobalt Strike software development manager. “It is the same case here, although I appreciate that some people may disagree.”


Get More Stories Like This On: Facebook: @AllNaijaEntertainment, Twitter: @AllNaijaEntertainment
Cryptocurrency
Technology3 days ago

Meaning and Uses for Tether Crypto Explained

Bitcoin Cryptocurrency
Technology4 weeks ago

Have A Brief Idea About Bitcoin Mining And Its Operation

Mark Your Calendars For These 4 Premier Sporting Events Of 2023
Sports2 months ago

Mark Your Calendars For These 4 Premier Sporting Events Of 2023

How To Safeguard Your Crypto Wallet?
Technology2 months ago

How To Safeguard Your Crypto Wallet?

Angry youths chase Elumelu away as they disrupt PDP campaign in Delta
News2 months ago

Angry youths chase Elumelu away as they disrupt PDP campaign in Delta

Lai Mohammed
News2 months ago

FG recovers over N120bn from proceeds of crime – Lai Mohammed

News2 months ago

Tinubu says Peter Obi, Atiku lack track record to be president

Atiku Abubakar
News2 months ago

Plateau PDP set to receive Atiku

Peter Obi praises Gov Uzodimma’s leadership style
News2 months ago

Peter Obi praises Gov Uzodimma’s leadership style

Entertainment2 months ago

‘Free Mind’ by Tems enters 20th week on Billboard Hot 100

Kizz Daniel
Entertainment2 months ago

Buga by Kizz Daniel is the most searched song in Nigeria in 2022

News2 months ago

NJC Reinstates Justice Ofili-Ajumogobia As Judge Of Federal High Court

Man sentenced to 21 years in prison for stealing Lady Gaga's dogs
Entertainment2 months ago

Man sentenced to 21 years in prison for stealing Lady Gaga’s dogs

NNPC Ltd to disclose new asset base – Kyari
News2 months ago

Nigeria Records ₦‎16 Trillion Worth Of Crude Oil In 9 Months

Entertainment2 months ago

Broda Shaggi begs African fathers to hug their children

News2 months ago

Chatham House: APC slams Dele Momodu over comment on Tinubu

News2 months ago

Samuel Eto’o Apologises After Physically Attacking YouTuber

News2 months ago

N-Power Fraud: D’banj Arrested & Detained – ICPC Confirms, Releases Statement

News2 months ago

FG: Second Niger Bridge will open to traffic Dec 15

News2 months ago

2023 Polls Won’t Mar Nigeria – Sultan, CAN, SGF

Education2 months ago

ASUU Strike: CONUA threatens to sue FG over withheld salaries

Sports2 months ago

Eden Hazard announce retirement from international football

News2 months ago

2023: APC Has Failed Northerners, Muslim-Muslim Ticket Won’t Work – Shagari

News2 months ago

Teleprompters In Sight As Tinubu Spoke At Chatham House – Jaafar Shares Photo

Buhari
News2 months ago

2023: No manipulations of any form will be allowed, Buhari vows

News2 months ago

Kano Hisbah to destroy 18,000 bottles of beer

Entertainment2 months ago

Emancipation: Will Smith pulls you in with gritty realities of slavery era[Review]

Will Smith hopes ‘brutal’ depictions of slavery in Emancipation are ‘not in vain’, as he attends premiere in London
Entertainment2 months ago

I became more alive by facing my pain – Will Smith

Luis Enrique
Sports2 months ago

Spain manager full of praise for his players despite shock Morocco loss

Goncalo Ramos
Sports2 months ago

Goncalo Ramos reacts after taking Cristiano Ronaldo’s place in Portugal team

Frank Leboeuf
Sports2 months ago

Frank Leboeuf aims bizarre dig at Kieran Trippier

Sports2 months ago

Can the Three Lions outsmart France’s unstoppable star player?

Horoscope2 months ago

Your daily horoscope for Wednesday, December 7, 2022

Sports2 months ago

FIFA World Cup 2022: Goncalo Ramos nets first hat-trick of 2022 FIFA World Cup as Portugal trash Switzerland

Sports2 months ago

FIFA World Cup 2022: Yassine Bono the hero as Morocco knocks Spain out of World Cup

Godwin Emefiele
News2 months ago

CBN Drops ATM Withdrawal Limit To ₦‎20k/Day

TikTok logo
News2 months ago

‘TikTok Challenge’ Circulates Info-Stealing Malware – NCC

DOWNLOAD Complete Wednesday (TV series) (2022 film) Season 1 Subtitles File [English SRT] 2022
Movie Subtitle2 months ago

DOWNLOAD Complete Wednesday (TV series) (2022 film) Season 1 Subtitles File [English SRT] 2022

The vast network of antennas will form the world’s largest radio telescope
Technology2 months ago

The largest radio telescope in the world’s construction gets underway

News2 months ago

FG releases new curriculum for universities in Nigeria

ANE Billboard Hots