Attacker Value
High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
1

CVE-2021-36798

Disclosure Date: August 09, 2021
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Impact
Techniques
Validation
Validated
Validated
Validated

Description

A Denial-of-Service (DoS) vulnerability was discovered in Team Server in HelpSystems Cobalt Strike 4.2 and 4.3. It allows remote attackers to crash the C2 server thread and block beacons’ communication with it.

Add Assessment

2
Ratings
  • Attacker Value
    High
  • Exploitability
    Very High
Technical Analysis

As Cobalt Strike’s source code got leaked in November 2020, it seems that versions 4.2 and 4.3 are both vulnerable to a Denial of Service attack that occurs when a new beacon registers with the Teamserver, thus causing a memory load and server crash.
The attacker need to the know the relevant beacon configuration prior to the execution, but this can be done rather easily with a multitude of tools released over GitHub, that performs config extraction from known Cobalt Strike C2 servers.
Cobalt Strike has become a tool which is used commonly by different threat actor groups worldwide, due to its availability, capabilities and effectiveness in covert channels.

Sentinel One have researched, reported and released a PoC code that triggers this vulnerability:
https://labs.sentinelone.com/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/

As the PoC code got released, it is safe to assume that vulnerable C2 servers worldwide are being attacked.

To fix this issue, version 4.4 was released.

CVSS V3 Severity and Metrics
Base Score:
7.5 High
Impact Score:
3.6
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
None
Integrity (I):
None
Availability (A):
High

General Information

Vendors

  • helpsystems

Products

  • cobalt strike 4.2,
  • cobalt strike 4.3

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis