Cobalt Strike 4.7.1 is now available. This is an out of band update to fix an issue discovered in the 4.7 release that was reported to be impacting users, and for which there was no workaround. We also took the opportunity to address a vulnerability that was reported shortly after the 4.7 release, along with mitigations for potential denial-of-service attacks.
Sleep Mask Issue
An issue was reported whereby when stage.sleep_mask
is not set (i.e. set to false), Beacon will still allocate space for the sleep mask BOF in memory. This issue has now been fixed.
CVE-2022-39197
An independent researcher identified as “Beichendream” reached out to inform us about an XSS vulnerability that they discovered in the teamserver. This would allow an attacker to set a malformed username in the Beacon configuration, allowing them to remotely execute code. We created a CVE for this issue which has been fixed.
As part of this fix, a new property has been added to the TeamServer.prop file (located in the home folder of the teamserver):
limits.beacons_xssvalidated
specifies whether XSS validation is performed on selected Beacon metadata. By default, this is set to true.
Denial-of-Service Mitigations
We were also made aware of the potential to conduct a denial-of-service attack against the teamserver itself. While this can be mitigated by good OPSEC (using a redirector, turning staging off and so on), we have made updates to mitigate this type of attack.
A number of new properties have been added to the TeamServer.prop file as part of the mitigations:
limits.beacons_max
sets a limit on the total number of Beacons that the teamserver will support. The default is 500. To turn this off (support an unlimited number of Beacons), use 0.
Three additional settings allow you to set a threshold rate for adding new Beacons (how many new Beacons can be added in a specific time period):
limits.beacon_rate_period
specifies the time period (in milliseconds) during which the number of Beacons added is monitored and limited.
limits.beacon_rate_maxperperiod
specifies how many new Beacons can be added in the specified time period.
limits.beacon_rate_disableduration
specifies how long the teamserver will ignore additional new Beacons for if the number of new Beacons exceeds the limit in the given time period.
Example
limits.beacon_rate_period
is set to 3000, limits.beacon_rate_maxperperiod
is set to 50 and limits.beacon_rate_disableduration
is set to 600000. If more than 50 new Beacons are added in a 3 second (3000ms) time period, any additional new Beacons added in the next 10 minutes (600000ms) will be ignored.
We apologise for any problems that these issues may have caused. If you notice any other issues with Cobalt Strike, please refer to the online support page, or report them to our support email address. Licensed users can run the update program to get this version, or download version 4.7.1 from scratch from the website. We recommend taking a copy of your existing Cobalt Strike folder before upgrading in case you need to revert to the previous version. To purchase Cobalt Strike or learn more, please contact us.