Governance & Risk Management
                                                    ,
                                                            Next-Generation Technologies & Secure Development
                                                    ,
                                                            Patch Management
                                                                                                                                            
                    Users Advised to Prioritize Patching for Publicly Known Flaws, Exploit
                

Critical vulnerabilities affecting all on-premises versions of TeamCity servers can result in authentication bypass and path traversal, enabling an attacker to gain administrative privileges for a server and take it over, provider JetBrains warned.
See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors
JetBrains on Monday released an update for TeamCity On-Premises CI/CD solution to fix two security vulnerabilities tracked as CVE-2024-27198 and CVE-2024-27199.
Both bugs are authentication bypass vulnerabilities but the “most severe” of the two, CVE-2024-27198, “allows for a complete compromise of a vulnerable TeamCity server by a remote unauthenticated attacker, including unauthenticated RCE,” Rapid7 said.
With a detailed description of the vulnerability and a corresponding exploit in the public domain, real-world exploitation could emerge soon, researchers warned, and they urged users to patch immediately.
“Compromising a TeamCity server allows an attacker full control over all TeamCity projects, builds, agents and artifacts, and as such is a suitable vector to position an attacker to perform a supply chain attack,” said researchers at Rapid7, which found the two security flaws.
Rapid7 created an exploit to demonstrate the severity of the flaw. Researchers generated an authentication that allowed them to get shell access on the target TeamCity server.
The U.S. Cybersecurity and Infrastructure Security Agency shared similar insights in December, stating that a compromised TeamCity server could give threat actors access to software developers’ source code and signing certificates and give the actor the ability to subvert software compilation and deployment processes.
The majority of TeamCity servers that are vulnerable to the two authentication bypass vulnerabilities are located in the U.S., followed by Germany and Russia, according to internet scanner Netlas.io.
JetBrains initially announced the release of TeamCity 2023.11.4, which addresses the two vulnerabilities, in a terse blog post. “We do not share the details of security-related issues to avoid compromising clients that keep using previous bugfix and/or major versions of TeamCity,” it said.
But after the release of Rapid7’s technical advisory, JetBrains released a second blog post to disclose the severity of the problems and the consequences of exploiting them.
The company highly recommends that administrators update their servers, but if that is currently not possible, a security patch plug-in is available for TeamCity 2018.2 and newer versions, as well as for TeamCity 2018.1 and older versions.
JetBrains said the cloud variant of the server is already patched, and there are no indications that threat actors have tried to target them using exploits for either of the two vulnerabilities.
