• Home
  • |
  • Blog
  • |
  • How To Fix CVE-2022-42948- A Critical RCE Vulnerability in Cobalt Strike
How To Fix CVE-2022-42948- A Critical RCE Vulnerability in Cobalt Strike

HelpSystems published its news on an out-of-band Cobalt Strike update to address a critical RCE vulnerability in Cobalt Strike. The CVE-2022-42948 is a remote code vulnerability that hackers can exploit by using a tag and running it within a graphical file explorer menu. It stems from an incomplete patch for CVE-2022-39197, released on September 20th, 2022. 

Since any unauthenticated remote attacker can exploit this flaw and perform hacking operations remotely on the administrative interface, it is important to know how to fix CVE-2022-42948, a Critical RCE vulnerability in Cobalt Strike. The company’s release notes explained the vulnerability and how to fix it. Let’s learn about it.

A Short Note About Cobalt Strike

Cobalt Strike is a commercial third-party framework that IBM Security X-Force Red uses for adversary stimulation. It has covert channels and post-exploitation agents that help you emulate a long-term embedded actor in your customer’s network. It is marketed to the red teams for this purpose but is also actively stolen and used by many threat actors. 

Cobalt Strike has two primary components in its framework, and both are in the same Java executable (JAR file). The components are as follows; 

  • Team Server: A C2 server that accepts general web requests, BEACON callbacks, and client connections. It accepts client connections on TCP port 50050 by default. Linux systems only support it. 
  • Client: It helps operators connect to the team server. It can be connected remotely or run on the same system as the Team server. It is supported by macOS, Windows, or Linux systems. 

Summary of CVE-2022-42948

CVE-2022-42948 is a recent vulnerability detected and released by HelpSystems. According to the company, it is a remote code execution vulnerability that hackers can exploit, taking control of targeted systems. 

CVSS Break Up

Platform Affected HelpSystems Cobalt Strike 4.7.1 
Exploitability Not proven
Risk Level 9.8 
Consequences Gain Access 
User Interaction None 
Privileges Required None
Access Vector Network 
Scope Unchanged 
Access Complexity Low 
Availability Impact High 
Integrity Impact High 
Remediation Level Official Fix 
Confidentiality Impact High 

Detailed Summary 

In a release note, the company said; 

“Certain Java Swing components interpret the test as HTML content automatically if it starts with <html>. Hackers use an object tag and can exploit this, and load a malicious payload, which is then carried out by the Cobalt Strike client ” 

-Cobolt Strike

It was found that the vulnerability can be triggered only in specific cases and that too, by using a Java Swing framework. The exposure of the flaw was accompanied by the release of Cobalt Strike version 4.7.2. The company, however, hasn’t assigned it a new CVE, as it says in a post that the vulnerability is not specific to Cobalt Strike. 

The way threat actors can exploit this vulnerability is by loading a malicious payload that is hosted on a remote server. They use an HTML <object> tag and inject it within the graphical file explorer menu or the note field in the post-exploitation platform UI. 

See Also  How To Fix CVE-2021-1579- A Privilege Escalation Vulnerability In Cisco APIC

The company said that disabling the automatic HTML tags parsing across the client was enough to mitigate this behavior. 

Cobalt Strike Versions Affected by CVE-2022-42948

CVE-2022-42948- a critical RCE Vulnerability in Cobalt Strike affects version 4.7.1. The reason for this vulnerability was the previous release of an incomplete patch for cross-site-scripting (XSS) vulnerability on 20th September 2022. 

The vulnerability was numbered CVE-2022-39197. According to the IBM (sponsored Security Intelligence team) advisory, the attackers could trigger this vulnerability in three ways: stimulating an implant check-in in Cobalt Strike, client-side UI input fields manipulation, or hooking an implant in Cobalt Strike that runs on a host. 

How To Fix CVE-2022-42948- A Critical RCE Vulnerability in Cobalt Strike?

The only way to fix CVE-2022-42948-a critical RCE Vulnerability in Cobalt Strike as prescribed by HelpSystems is to upgrade the Cobalt Strike version 4.7.1 to 4.7.2. If you’re a licensed user of the software, you can get the new version by running the update program or downloading it from scratch from the website

If you’re planning to get the latest version of the software, it is recommended to keep a copy of the existing Cobalt Strike before upgrading in case you need to revert to the old version. 

Wrap Up 

The flaw stems from an incomplete patch for CVE-2022-39197. Fixing this vulnerability requires an upgrade to the latest version 4.7.2. We hope this post would help you know how to fix CVE-2022-42948- a critical RCE Vulnerability in Cobalt Strike. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, Medium & Instagram, and subscribe to receive updates like this. 

Read More:

About the author

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience spanning IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

To know more about him, you can visit his profile on LinkedIn.

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.