www.belgium.be Logo of the federal government

WARNING: AUTHENTICATION BYPASS AND PATH TRAVERSAL VULNERABILITIES IN JETBRAINS TEAMCITY, PATCH IMMEDIATELY

Reference: 
Advisory #2024-36
Version: 
2.0
Affected software: 
JetBrains TeamCity <2023.11.4
Type: 
Authentication bypass and path traversal vulnerabilities allowing administrative actions
CVE/CVSS: 

CVE-2024-27198
CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVE-2024-27199
CVSS 7.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Date: 
06/03/2024

Sources

Risks

JetBrains TeamCity is a general-purpose CI/CD software platform that allows for flexible workflows, collaboration and development practices.

Successful exploitation of CVE-2024-27198 and CVE-2024-27199 could allow an adversary to perform malicious administrative actions on the network which could have an impact on confidentiality, integrity and availability of data and infrastructure.

At the time of writing version 1.0, the Centre for Cybersecurity Belgium was not aware of active exploitation of said vulnerabilities.  However, as indicated in previous advisories (see references below), JetBrains TeamCity vulnerabilities are known to have been exploited by criminal actors in the past, including ransomware actors.

UPDATE 07-03-2024: Massive active exploitation of these two vulnerabilities is detected, as proof of concept code is trivial and also available online. Attackers have begun utilizing these vulnerabilities to generate numerous new user accounts on unpatched instances of TeamCity that are exposed on the public web.

A substantial portion of the compromised TeamCity servers are utilized as production machines for software building and deployment processes. The compromise of these servers could potentially result in supply-chain attacks, as they may contain sensitive information such as credentials for environments where code is deployed, published, or stored.

Description

Exploitation of CVE-2024-27198 and CVE-2024-27199 can give an attacker the possibility to bypass authentication (CVE-2024-27198) and open the risk for path traversal (CVE-2024-27199).

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect

The Centre for Cybersecurity Belgium recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident.
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References