Critical Authentication Bypass Vulnerability in TeamCity On-Premises Servers

February 6, 2024

JetBrains, the software development company, has issued an urgent call to customers to patch their TeamCity On-Premises servers due to a critical authentication bypass vulnerability. This severe flaw, designated as CVE-2024-23917, affects all versions of TeamCity On-Premises from 2017.1 to 2023.11.2 and can be exploited in remote code execution (RCE) attacks that do not require user interaction.

JetBrains strongly recommends all users of TeamCity On-Premises to upgrade their servers to 2023.11.3 to rectify this vulnerability. For servers that are publicly accessible and cannot be immediately upgraded, the company suggests making them temporarily inaccessible until mitigation steps are completed. For those unable to upgrade immediately, a security patch plugin can be used to secure servers running specific versions of TeamCity.

The company has confirmed that all TeamCity Cloud servers have been patched and there is no evidence of them being attacked. However, it remains unclear whether CVE-2024-23917 has been exploited in the wild to compromise internet-exposed TeamCity On-Premises servers. Shadowserver is currently monitoring over 2,000 TeamCity servers exposed online, but it is uncertain how many have been patched.

A similar authentication bypass vulnerability, tracked as CVE-2023-42793, was previously exploited by the APT29 hacking group, associated with Russia's Foreign Intelligence Service (SVR), in widespread RCE attacks since September 2023. The Cybersecurity and Infrastructure Security Agency (CISA) warned, 'By choosing to exploit CVE-2023-42793, a software development program, the authoring agencies assess the SVR could benefit from access to victims, particularly by allowing the threat actors to compromise the networks of dozens of software developers.'

Several ransomware gangs have also exploited this vulnerability since early October to infiltrate corporate networks. Microsoft reports that the North Korean hacking groups Lazarus and Andariel also utilized CVE-2023-42793 exploits to infiltrate victims' networks, likely in preparation for software supply chain attacks.

Finally, JetBrains states that over 30,000 organizations globally use the TeamCity software building and testing platform, including prominent companies like Citibank, Ubisoft, HP, Nike, and Ferrari.

Related News

• Russian APT 'Midnight Blizzard' Breached HPE and Microsoft Months Apart
• Russian APT29 Hackers Exploiting TeamCity Servers Since September: CISA
• Lazarus Group Exploits Log4j Security Flaws to Launch Global Cyberattack Campaign
• North Korean Hacking Groups Exploit TeamCity Vulnerability to Breach Networks
• Ransomware Groups Exploiting Critical TeamCity RCE Flaw

Latest News

• Widespread Exploitation of Ivanti SSRF Zero-Day Vulnerability Observed
• Mispadu Banking Trojan Exploits Patched Windows SmartScreen Flaw
• Critical Vulnerability in Mastodon Social Network Allows Account Takeovers
• Russian APT28 Hackers Launch NTLM Relay Attacks on High-Value Global Targets
• CISA Instructs Federal Agencies to Disconnect Ivanti VPN Instances Amidst Zero-Day Exploits