Critical Exploit for TeamCity Auth Bypass Bug Available: Immediate Patching Recommended

March 4, 2024

A critical vulnerability, identified as CVE-2024-27198, in JetBrains' TeamCity On-Premises CI/CD solution could potentially allow a remote, unauthenticated attacker to gain control of the server with administrative rights. The full technical details to create an exploit are now available, urging administrators to urgently address the issue by updating to the latest product version or installing a security patch plugin from JetBrains. The company has released a new version of the product, which also includes a fix for a second, less serious security issue, CVE-2024-27199. This vulnerability allows the modification of a limited number of system settings without authentication. Both vulnerabilities are found in the web component of TeamCity and affect all versions of on-premise installations.

TeamCity is a CI/CD solution that assists software developers in building and testing their products in an automated manner. The vulnerabilities were discovered by Stephen Fewer, a principal security researcher at Rapid7, and reported to JetBrains in mid-February. CVE-2024-27198 can provide an attacker with complete control over a vulnerable TeamCity On-Premises server, including the ability for remote code execution. “Compromising a TeamCity server allows an attacker full control over all TeamCity projects, builds, agents and artifacts, and as such is a suitable vector to position an attacker to perform a supply chain attack” - Rapid7.

Rapid7 demonstrated the severity of the flaw by creating an exploit that generated an authentication and allowed them to gain shell access (Meterpreter session) on the target TeamCity server. Rapid7 offers a comprehensive explanation of the vulnerability's cause and how it can be triggered and exploited to create a new administrator account or generate a new administrator access token to gain full control over the target server.

The second vulnerability, although less severe because an attacker needs to already be on the victim network, is also significant. It could be exploited for denial-of-service (DoS) attacks or to eavesdrop on client connections from an adversary-in-the-middle position. Attackers can cause a DoS condition on the server by changing the HTTPS port number or by uploading a certificate that clients don't validate. Eavesdropping on connections is more challenging, as the attacker must ensure that the uploaded certificate is trusted by the clients.

JetBrains recently announced the release of TeamCity 2023.11.4, which addresses both vulnerabilities, without providing any details about the fixed security issues. In a separate blog post, the company disclosed the issues' severity and the consequences of exploiting them, noting that “all versions through 2023.11.3 are affected.” Administrators are strongly encouraged to update their server to version 2023.11.4. If this is not currently possible, a security patch plugin is available for TeamCity 2018.2 and newer as well as for TeamCity 2018.1 and older. The cloud variant of the server has already been patched and there are no indications of threat actor attempts of targeting them using exploits for either of the two vulnerabilities. However, on-premise installations of TeamCity that have not received the update are at risk, particularly since detailed instructions are available on how to trigger and exploit the security issues. Adversaries are expected to start scanning for vulnerable TeamCity servers exposed on the public internet and attempt to gain access with administrative privileges for supply-chain attacks.

Latest News

• Critical Vulnerabilities in TeamCity Pose Threat to Software Supply Chain
• Phobos Ransomware Targets U.S. Critical Infrastructure: Government Agencies Issue Warning
• North Korean Lazarus Group Exploited Windows Kernel Bug as Zero-Day for Six Months
• U.S. Judge Orders NSO Group to Disclose Pegasus Spyware Source Code to Meta
• CISA Issues Alert on Microsoft Streaming Bug Exploited in Malware Attacks