CVE-2021-36798 – A Denial-of-Service vulnerability in Cobalt Str... (How to Fix)

Q: What is the severity of CVE-2021-36798?

CVE-2021-36798 has a CVSS score of 7.5 (HIGH). A Denial-of-Service vulnerability in Cobalt Strike Team Server allows remote attackers to crash the C2 server thread, blocking beacon communications. This affects Cobalt Strike 4.2 and 4.3 installations, potentially disrupting red team operations and adversary infrastructure.

📋 TL;DR

A Denial-of-Service vulnerability in Cobalt Strike Team Server allows remote attackers to crash the C2 server thread, blocking beacon communications. This affects Cobalt Strike 4.2 and 4.3 installations, potentially disrupting red team operations and adversary infrastructure.

💻 Affected Systems

Products:

HelpSystems Cobalt Strike

Versions: 4.2 and 4.3

Operating Systems: All platforms running Cobalt Strike Team Server

Default Config Vulnerable: ⚠️ Yes

Notes: All Team Server configurations in affected versions are vulnerable when exposed to network traffic.

📦 What is this software?

Cobalt Strike by Helpsystems

View all CVEs affecting Cobalt Strike →

Cobalt Strike by Helpsystems

View all CVEs affecting Cobalt Strike →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete disruption of C2 operations, making all beacons unreachable and halting ongoing campaigns until server restart.

🟠

Likely Case

Temporary C2 server thread crash requiring manual restart, causing beacon communication interruptions during attacks.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring allowing quick detection and recovery.

🌐 Internet-Facing: HIGH - Cobalt Strike servers are typically internet-facing for beacon communication, making them directly accessible to attackers.

🏢 Internal Only: LOW - Cobalt Strike is primarily deployed as internet-facing C2 infrastructure, not internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires sending specially crafted packets to the Team Server port (default 50050). Public exploit code exists in security research publications.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.4

Vendor Advisory: https://www.cobaltstrike.com/releasenotes.txt

Restart Required: Yes

Instructions:

1. Download Cobalt Strike 4.4 or later from HelpSystems portal. 2. Stop the vulnerable Team Server. 3. Deploy the updated version. 4. Restart Team Server with updated binaries.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict access to Team Server port using firewall rules to only allow connections from trusted IPs.

iptables -A INPUT -p tcp --dport 50050 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 50050 -j DROP

Port Change

all

Change default Team Server port from 50050 to non-standard port to reduce automated attack surface.

Edit teamserver configuration file to change port binding

🧯 If You Can't Patch

Implement strict network ACLs allowing only beacon IPs to connect to Team Server
Deploy redundant Team Servers with load balancing to maintain availability during attacks

🔍 How to Verify

Check if Vulnerable:

Check Cobalt Strike version: cat /path/to/cobaltstrike/version.txt or examine startup logs for version 4.2 or 4.3.

Check Version:

grep -i version /path/to/cobaltstrike/*.txt || java -jar cobaltstrike.jar --version

Verify Fix Applied:

Confirm version is 4.4 or later and test Team Server stability under simulated attack conditions.

📡 Detection & Monitoring

Log Indicators:

Team Server thread crash logs
Unexpected server restarts
Beacon connection failures in logs

Network Indicators:

Multiple malformed packets to Team Server port
Sudden drop in beacon check-ins
Unusual traffic patterns to C2 port

SIEM Query:

source="cobaltstrike.log" AND ("thread crash" OR "server restart" OR "connection reset")

📊 Metadata

CVE ID: CVE-2021-36798

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

Published: August 9, 2021

Last Updated: November 21, 2024

🔗 References

https://labs.sentinelone.com/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/ Exploit,Third Party Advisory
https://www.cobaltstrike.com/releasenotes.txt Release Notes,Vendor Advisory
https://labs.sentinelone.com/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/ Exploit,Third Party Advisory
https://www.cobaltstrike.com/releasenotes.txt Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36798, you might also want to check these: