Out-of-band update addresses an issue for which IBM X-Force researchers had wanted a new CVE, but which HelpSystems says is not specific to its software [300 words]
What: HelpSystems on October 17 released Cobalt Strike 4.7.2, an OOB update to fix an RCE vulnerability reported to it by IBM’s X-Force threat intelligence team.
IBM’s researchers discovered the vulnerability when analyzing an update in the previous Cobalt Strike 4.7.1 version. That update—released on Sept. 20, 2022—was supposed to have fixed an XSS bug in Cobalt Strike 4.7 ((CVE-2022-39197) that enabled RCE.
X-Force described the update in Cobalt Strike 4.7.1 as incomplete because they found that remote code execution was still possible even in the updated Cobalt Strike version. They requested a new CVE (CVE-2022-42948) for their discovery. “We discovered that creating Swing components from user input allows users to create arbitrary Java objects in the class path and invoke [methods] which can lead to remote code execution in specific cases,” X-Force noted.
HelpSystems’ response: Greg Darwinsoftware development manager for Cobalt Strike said HelpSystems had not submitted a CVE because the flaw was not specific to Cobalt Strike. “The underlying cause of this issue is due to Cobalt Strike’s user interface being built using the Java Swing framework,” he said. “Certain components within Java Swing will automatically interpret any text as HTML content if it starts with <html>.” The vulnerability can be exploited in any Java Swing GUI that renders html and not just Cobalt Strike.
Why it matters: Red teams use Cobalt Strike to simulate adversary behaviors and gain a privileged position on a target network. As IBM noted, a compromise of the C2 framework could lead to the red team losing control of their beacons and operations.
Details:
Out Of Band Update: Cobalt Strike 4.7.2