This Cybersecurity Threat Advisory highlights JetBrains’ TeamCity vulnerabilities found in the CI/CD Server. One vulnerability allows unauthenticated access to an instance while the other allows for unauthenticated information disclosure and modification.
What is the threat?
A critical-severity authentication bypass vulnerability (CVE-2024-27198) within JetBrains’ TeamCity CI/CD Server allows for a complete compromise of a vulnerable server by a remote unauthenticated attacker using a single HTTP request that avoids all authentication checks. A remote unauthenticated attacker can then leverage this to take control of the TeamCity server.
In addition, CVE-2024-27199 allows for unauthenticated information disclosure and modification. Attackers can reach multiple authenticated endpoints using path traversal to disclose information about the server. Additionally, some files can be modified such as the certificate and port number. Attackers can also leverage this to change the HTTPS port or upload a certificate that fails client-side validation resulting in a denial-of-server.
Why is it noteworthy?
There have been two observed campaigns with at least one attempting to distribute ransomware and another creating admin users on vulnerable servers. According to LeakIX, threat actors appear to have already acted, compromising more than 1,442 of the 1,711 unpatched public hosts as of 3/6/24.
What is the exposure or risk?
Organizations using TeamCity are susceptible to lateral movement within the environment, being the host of a supply chain attack, or a denial-of-service to their CI/CD pipeline.
What are the recommendations?
- Update all TeamCity instances to TeamCity 2023.11.4 or newer.
- Check within “teamcity-javaLogging” log file for the regex pattern “\/\S*\?\S*jsp=\S*;\.jsp “ to ensure CVE-2024-27198 hasn’t been exploited.
- Ensure no unauthorized plugins, users, or access tokens are created.
- Check the server port and certificate to see if they are correct.
- Within the “teamcity-javaLogging” check to see if a user has accessed sensitive authenticated endpoints such as:
- /.well-known/acme-challenge/../../admin/diagnostic.jsp
- /update/../admin/diagnostic.jsp
References
- https://nvd.nist.gov/vuln/detail/CVE-2024-27198
- https://nvd.nist.gov/vuln/detail/CVE-2024-27199
- https://www.bleepingcomputer.com/news/security/critical-teamcity-flaw-now-widely-exploited-to-create-admin-accounts/
- https://www.darkreading.com/cyberattacks-data-breaches/jetbrains-teamcity-mass-exploitation-underway-rogue-accounts-thrive
If you have any questions regarding this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.
