putilov_denis - stock.adobe.com

Cobalt Strike gets emergency patch

The developer of Cobalt Strike issued an out-of-band security update to address a cross-site scripting vulnerability in the popular penetration testing suite.

Cobalt Strike developer HelpSystems has gone out of band to address a potentially serious security vulnerability in its Beacon software.

The company said in a security advisory Tuesday that the Cobalt Strike 4.7.1 update will close off a cross-site-scripting (XSS) flaw, designated CVE-2022-39197, in the server component of the product. The bug was discovered and privately disclosed to HelpSystems by a researcher using the pseudonym "Beichendream."

Cobalt Strike is designed to allow penetration testers and network defenders to check the strength of their security professions by mocking several possible attack tools and scenarios. However, the security testing suite is also widely used by actual threat actors, including ransomware gangs, to infiltrate targeted networks.

Beacon, specifically, acts as the command and control portion of the larger Cobalt Strike testing suite, allowing the attacker to send malware packages to the target machine, execute shell scripts, and perform remote monitoring activities like logging keystrokes or taking screenshots.

According to HelpSystems, CVE-2022-39197 would potentially allow an attacker to remotely execute code on Beacon by hiding commands within a malformed username entry. While HelpSystems has remedied the issue in Beacon by adding XSS checks to metadata entries, the developer noted that the bug could also be weaponized against the CobaltStrike suite to take down the host server.

"We were also made aware of the potential to conduct a denial-of-service attack against the teamserver itself," HelpSystems said in the advisory.

"While this can be mitigated by good OPSEC (using a redirector, turning staging off and so on), we have made updates to mitigate this type of attack."

The update also addressed an unrelated stability issue with Beacon's handling of sleep mask data.

The need for an out of band fix is somewhat ironic given that Cobalt Strike and Beacon are used by cybercriminals as well as legitimate infosec professionals. As with legitimate security tools, Beacon and other pieces of the Cobalt Strike suite have also been stolen and co-opted by threat actors who use the cracked and modified copies of Beacon to run their own operations. As such, the vulnerability could be used to play a nasty trick on attackers by turning the tables on them and leaving their own systems open to attack.

Stolen and modified copies of Beacon have even been connected to some state-sponsored hacking operations.

Those running legal copies of Cobalt Strike can obtain the 4.7.1 update from HelpSystems or by re-installing the suite from the company's website.

Next Steps

Microsoft, Fortra get court order to disrupt Cobalt Strike

Dig Deeper on Security operations and management