Table of Contents
  • Home
  • /
  • Blog
  • /
  • How To Fix CVE-2022-42948- A Critical RCE Vulnerability in Cobalt Strike
October 27, 2022
|
5m

How To Fix CVE-2022-42948- A Critical RCE Vulnerability in Cobalt Strike


How To Fix Cve 2022 42948 A Critical Rce Vulnerability In Cobalt Strike

HelpSystems published its news on an out-of-band Cobalt Strike update to address a critical RCE vulnerability in Cobalt Strike. The CVE-2022-42948 is a remote code vulnerability that hackers can exploit by using a tag and running it within a graphical file explorer menu. It stems from an incomplete patch for CVE-2022-39197, released on September 20th, 2022. 

Since any unauthenticated remote attacker can exploit this flaw and perform hacking operations remotely on the administrative interface, it is important to know how to fix CVE-2022-42948, a Critical RCE vulnerability in Cobalt Strike. The company’s release notes explained the vulnerability and how to fix it. Let’s learn about it.

A Short Note About Cobalt Strike

Cobalt Strike is a commercial third-party framework that IBM Security X-Force Red uses for adversary stimulation. It has covert channels and post-exploitation agents that help you emulate a long-term embedded actor in your customer’s network. It is marketed to the red teams for this purpose but is also actively stolen and used by many threat actors. 

Cobalt Strike has two primary components in its framework, and both are in the same Java executable (JAR file). The components are as follows; 

  • Team Server: A C2 server that accepts general web requests, BEACON callbacks, and client connections. It accepts client connections on TCP port 50050 by default. Linux systems only support it. 

  • Client: It helps operators connect to the team server. It can be connected remotely or run on the same system as the Team server. It is supported by macOS, Windows, or Linux systems. 

Summary of CVE-2022-42948

CVE-2022-42948 is a recent vulnerability detected and released by HelpSystems. According to the company, it is a remote code execution vulnerability that hackers can exploit, taking control of targeted systems. 

CVSS Break Up

Platform Affected HelpSystems Cobalt Strike 4.7.1 
Exploitability Not proven
Risk Level 9.8 
Consequences Gain Access 
User Interaction None 
Privileges Required None
Access Vector Network 
Scope Unchanged 
Access Complexity Low 
Availability Impact High 
Integrity Impact High 
Remediation Level Official Fix 
Confidentiality Impact High 

Detailed Summary

In a release note, the company said; 

“Certain Java Swing components interpret the test as HTML content automatically if it starts with <html>. Hackers use an object tag and can exploit this, and load a malicious payload, which is then carried out by the Cobalt Strike client ” 
-Cobolt Strike

It was found that the vulnerability can be triggered only in specific cases and that too, by using a Java Swing framework. The exposure of the flaw was accompanied by the release of Cobalt Strike version 4.7.2. The company, however, hasn’t assigned it a new CVE, as it says in a post that the vulnerability is not specific to Cobalt Strike

The way threat actors can exploit this vulnerability is by loading a malicious payload that is hosted on a remote server. They use an HTML <object> tag and inject it within the graphical file explorer menu or the note field in the post-exploitation platform UI. 

The company said that disabling the automatic HTML tags parsing across the client was enough to mitigate this behavior. 

Cobalt Strike Versions Affected by CVE-2022-42948

CVE-2022-42948- a critical RCE Vulnerability in Cobalt Strike affects version 4.7.1. The reason for this vulnerability was the previous release of an incomplete patch for cross-site-scripting (XSS) vulnerability on 20th September 2022. 

The vulnerability was numbered CVE-2022-39197. According to the IBM (sponsored Security Intelligence team) advisory, the attackers could trigger this vulnerability in three ways: stimulating an implant check-in in Cobalt Strike, client-side UI input fields manipulation, or hooking an implant in Cobalt Strike that runs on a host. 

How To Fix CVE-2022-42948- A Critical RCE Vulnerability in Cobalt Strike?

The only way to fix CVE-2022-42948-a critical RCE Vulnerability in Cobalt Strike as prescribed by HelpSystems is to upgrade the Cobalt Strike version 4.7.1 to 4.7.2. If you’re a licensed user of the software, you can get the new version by

or downloading it from scratch from the website

If you’re planning to get the latest version of the software, it is recommended to keep a copy of the existing Cobalt Strike before upgrading in case you need to revert to the old version. 

Wrap Up

The flaw stems from an incomplete patch for CVE-2022-39197. Fixing this vulnerability requires an upgrade to the latest version 4.7.2. We hope this post would help you know how to fix CVE-2022-42948- a critical RCE Vulnerability in Cobalt Strike. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, Medium & Instagram, and subscribe to receive updates like this. 

You may also like these articles:

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Vulnerabilities

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe