Two significant vulnerabilities have been identified in JetBrains TeamCity, a platform utilized for build management and continuous integration, with tracking identifiers CVE-2024-27198 and CVE-2024-27199. These vulnerabilities impact all TeamCity On-Premises versions released prior to 2023.11.4 and were actively exploited as early as March 6, 2024. A patch for these vulnerabilities was made available a couple of days prior, on March 4, 2024. If left unaddressed, these flaws could allow unauthorized attackers to bypass authentication and potentially seize administrative control of the affected servers.
"CVE-2024-27198 is particularly alarming due to its authentication bypass capabilities," said George Glass, a cybersecurity expert at Kroll. With a CVSS score of 9.8, it poses a critical risk, making it easier for attackers to gain administrative privileges.
"CVE-2024-27198 is particularly alarming due to its authentication bypass capabilities,"
In addition, CVE-2024-27199 is recognized as a path traversal vulnerability with a CVSS score of 7.3, indicating a high level of risk. This could enable limited administrative actions such as certificate replacement or denial of service attacks, further complicating the security landscape for TeamCity users.
Team Dynamics
The repercussions of exploiting these vulnerabilities extend beyond immediate server control. There is the potential for significant damage to code bases and CI/CD pipelines, as well as the risk of exposing sensitive credentials stored within TeamCity environments. "Exploitation can particularly jeopardize the integrity of codebases and present a broader supply chain risk," Glass explained.
"Exploitation can particularly jeopardize the integrity of codebases and present a broader supply chain risk,"
Looking Ahead
Evidence of exploitation has already surfaced, with incidents reported as attackers began generating hundreds of random user accounts to facilitate future access to compromised servers. This surge in activity is believed to be influenced by a technical article released shortly after the patches were issued, which included proof-of-concept code and details of a new METASPLOIT module aimed at these vulnerabilities.
To counteract this threat, Kroll’s Cyber Threat Intelligence (CTI) team has outlined several key recommendations for organizations still using vulnerable versions of TeamCity. "It’s crucial to address instances of TeamCity servers that are still vulnerable by adhering to the mitigation strategies detailed in JetBrains' advisory notice," Glass emphasized.
"It’s crucial to address instances of TeamCity servers that are still vulnerable by adhering to the mitigation strategies detailed in JetBrains' advisory notice,"
For those unable to patch their systems immediately, experts advise disconnecting any internet-connected TeamCity instances to mitigate exposure. "If a TeamCity server that was accessible on the internet was not patched by March 4, organizations should operate under the assumption that it has been compromised and should engage digital forensics and incident response (DFIR) protocols," he added.
"If a TeamCity server that was accessible on the internet was not patched by March 4, organizations should operate under the assumption that it has been compromised and should engage digital forensics and incident response (DFIR) protocols,"
Additionally, companies are encouraged to monitor for any unauthorized account creations. "By checking ‘Administration/Users’ in the TeamCity server console, administrators can identify any new accounts created since March 4, highlighting potential compromises," said Glass.
"By checking ‘Administration/Users’ in the TeamCity server console, administrators can identify any new accounts created since March 4, highlighting potential compromises,"
The urgency surrounding these vulnerabilities indicates a broader trend in cybersecurity, where quick iteration and knowledge sharing can enable threat actors to capitalize on newly discovered weaknesses. As patch cycles become more rapid, the importance of proactive security measures and responsiveness cannot be overstated.
In conclusion, the exploitation of these vulnerabilities presents a critical reality check for organizations utilizing JetBrains TeamCity. Management and IT teams must prioritize security patches and closely observe their systems to safeguard their environments against potential threats. As the landscape evolves, firms must remain vigilant in their cyber resilience efforts to stay ahead of the curve.
