Rewterz Threat Update – New Critical TeamCity Authentication Bypass Flaws with Publicly Available Exploit

Severity

High

Analysis Summary

Two critical vulnerabilities, CVE-2024-27198 and CVE-2024-27199, were discovered in JetBrains’ TeamCity On-Premises CI/CD solution. CVE-2024-27198 allows remote unauthenticated attackers to gain administrative control over TeamCity servers, potentially leading to complete compromise and remote code execution. Meanwhile, CVE-2024-27199 permits path traversal and manipulation of system settings without proper authentication, posing significant risks, especially for networks with already present attackers.

The cybersecurity researcher who discovered these vulnerabilities also demonstrated the severity of the flaws by creating an exploit that generated an authentication and allowed them to get shell access (Meterpreter session) on the targeted TeamCity server. The impact of these vulnerabilities extends beyond server compromise, potentially enabling attackers to conduct denial-of-service (DoS) attacks or eavesdrop on client connections.

To address these vulnerabilities, JetBrains released TeamCity version 2023.11.4 which contains fixes for both issues. Although detailed information about the vulnerabilities wasn’t immediately disclosed, administrators are strongly urged to update this version promptly. For those unable to update immediately, security patch plugins are provided, covering versions from 2018.2 onwards and older installations. JetBrains confirmed patching the cloud variant but cautioned that on-premise installations remain vulnerable, especially given the availability of exploit details.

Albeit with increased complexity due to certificate validation requirements, the urgency for mitigation underscores the potential severity of these vulnerabilities and the importance of proactive security measures. With adversaries likely to exploit these weaknesses, organizations must prioritize updating their TeamCity installations promptly to mitigate the risk of exploitation and potential supply chain attacks.

Impact

• Security Bypass
• Unauthorized Access
• Code Execution

Indicators Of Compromise

CVE

• CVE-2024-27198
• CVE-2024-27199

Affected Vendors

JetBrains

Affected Products

• JetBrains TeamCity 2023.11.4

Remediation

• Refer to the JetBrains Website for patch, upgrade, or suggested workaround information.
• Apply the latest security patches and updates to the email server software and associated components to address vulnerabilities. Also, prioritize patching known exploited vulnerabilities and zero-days.
• Perform comprehensive security audits on the email server infrastructure to identify and address any potential weaknesses. This includes reviewing server configurations, access controls, and encryption protocols to ensure they meet industry best practices.
• Emails from unknown senders should always be treated with caution. Never trust or open links and attachments received from unknown sources/senders.
• Enable 2FA for user accounts on the email server to add an extra layer of security. This prevents unauthorized access even if usernames and passwords are compromised.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Implement network segmentation to isolate critical systems and sensitive data from the rest of the network. This limits the lateral movement of attackers in case of a breach and reduces the impact of potential future attacks.
• Implement a regular backup strategy for email servers and critical data. Ensure that backups are stored securely and regularly tested for data restoration.