Cobalt Strike Rolls Out an Update for XSS Vulnerability
Cobalt Strike 4.7.1 out-of-band update fixed an issue in version 4.7 that the affected users reported. There was no workaround for the problem.
A vulnerability revealed soon after the 4.7 release was also addressed by Cobalt Strike, along with mitigations for potential denial-of-service attacks against teamserver.
It was discovered that even when stage.sleep_mask is unset (i.e., set to false), Beacon will continue to reserve memory for the sleep mask BOF. The problem has now been addressed.
CVE-2022-39197 XSS Flaw Fixed
Due to an XSS flaw found in the teamserver, an attacker might remotely execute code by setting a fake username in the Beacon configuration.
The TeamServer.prop file now has a new property as part of this patch:
- If XSS validation is applied to particular Beacon metadata, it is specified by limits.beacons_xssvalidated. This is set to true by default.
Mitigations for DDoS
Cobalt Strike’s blog states that potential DDoS attacks can be prevented by implementing good OPSEC. TeamServer.prop file has been updated with several new properties to configure as additional mitigation for DDoS:
- limits.beacons_max: Limits the maximum number of beacons that can be supported in a teamserver and is limited to 500 by default. To support an unlimited number of beacons, set to 0.
- limits.beacon_rate_period: Defines the time period for monitoring and limiting the number of Beacons added.
- limits.beacon_rate_maxperperiod: Limits the number of Beacons that can be added in the specified time period.
- limits.beacon_rate_disableduration: When the number of new beacons exceeds the limit (in the specified time period), the teamserver will ignore any additional beacons for the duration specified by this property.