www.belgium.be Logo of the federal government

WARNING: REMOTE CODE EXECUTION IN JETBRAINS TEAMCITY, PATCH IMMEDIATELY!

Reference: 
Advisory #2024-20
Version: 
1.0
Affected software: 
JetBrains TeamCity On-Premises before 2023.11.3
Type: 
Authentication Bypass leading to Remote Code Execution
CVE/CVSS: 

CVE-2024-23917: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Date: 
07/02/2024

Sources

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23917

Risks

Patching CVE-2024-23917 is highly advised. At the time of writing, there are no mentions of the vulnerability being exploited in the wild. However, a previously disclosed vulnerability in JetBrains TeamCity (CVE-2023-42793) was exploited by threat actors. Given how similar the two vulnerabilities are, the likelihood of CVE-2024-23917 being exploited is very high.

For more information on CVE-2023-42793, please visit our published advisory #2023-119. (See references)

Description

CVE-2024-23917 is a critical vulnerability in Jetbrains TeamCity. It is an authentication bypass that can lead to a Remote Code Execution, giving full access to the administrative control of the TeamCity server. The attacker only needs HTTP(s) access to a TeamCity server for successful exploitation.

The vulnerability has a CVSS3.1 score of 9.8, meaning it is easily exploited over the internet with no user interaction and severe impact in the confidentiality, integrity, and availability of the affected system.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/en/cert/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

Jetbrains: https://blog.jetbrains.com/teamcity/2024/02/critical-security-issue-affecting-teamcity-on-premises-cve-2024-23917/

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-23917

TheRegister: https://www.theregister.com/2024/02/07/jetbrains_teamcity_critical_vuln/

Advisory #2023-119: https://cert.be/en/advisory/warning-authentication-bypass-leading-rce-jetbrains-teamcity-server-currently-exploited