Command & Control (C2) frameworks are a very sensitive component of Red Team operations. Often, a Red Team will be in a highly privileged position on a target’s network, and a compromise of the C2 framework could lead to a compromise of both the red team operator’s system and control over beacons established on a target’s systems. As such, vulnerabilities in C2 frameworks are high priority targets for threat actors and Counterintelligence (CI) operations. On September 20, 2022, HelpSystems published an out-of-band patch for Cobalt Strike which stated that there was potential for Remote Code Execution (RCE).

Cobalt Strike is one of several third-party C2 frameworks IBM Security X-Force Red leverages to simulate different threat actors when delivering adversary services for clients. The Adversary Simulation team at IBM Security X-Force Red performed a diligent review of the patch to ensure that there was no impact to our clients networks, data, and systems.

Our analysis proved that RCE was indeed possible and that the update in version 4.7.1 was insufficient to mitigate the impact of the vulnerability. We discovered that creating Swing components from user input allows users to create arbitrary Java objects in the class path and invoke their setter methods, which can lead to remote code execution in specific cases. X-Force requested a new CVE (CVE-2022-42948) and provided the technical details of the vulnerability to HelpSystems to aid in the development of a new patch. This post outlines the analysis process conducted to make this evaluation: patch analysis, root cause review and vulnerability weaponization.