JetBrains has patched a critical security vulnerability in its TeamCity On-Premises server that can allow unauthenticated remote attackers to gain control over an affected server and use it to perform further malicious activity within an organization’s environment.
TeamCity is a software development lifecycle (SDLC) management platform that about 30,000 organizations — including several major brands like Citibank, Nike, and Ferrari — use to automate processes to build, test, and deploy software. As such, it’s home to scores of data that can be useful to attackers, including source code and signing certificates, and also could allow for tampering with compiled versions software or deployment processes.
The flaw, tracked as CVE-2024-23917, presents the weakness CWE-288, which is an authentication bypass using an alternate path or channel. JetBrains identified the flaw on Jan. 19; it affects all versions from 2017.1 through 2023.11.2 of its TeamCity On-Premises continuous integration and delivery (CI/CD) server.
“If abused, the flaw may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server,” TeamCity’s Daniel Gallo wrote in a blog post detailing CVE-2024-23917, published earlier this week.
JetBrains already has released an update that addresses the vulnerability, TeamCity On-Premises version 2023.11.3, and also patched its own TeamCity Cloud servers. The company also verified that its own servers were not attacked.
TeamCity’s History of Exploitation
Indeed, TeamCity On-Premises flaws are not to be taken lightly, as the last major flaw discovered in the product spurred a global security nightmare when various state-sponsored actors targeted it to engage in a range of malicious behavior.
In that case, a public proof-of-concept (PoC) exploit for a critical remote code execution (RCE) bug tracked as CVE-2023-42793 — found by JetBrains and patched last Sept. 30 — triggered near immediate exploitation by two North Korean state-backed threat groups tracked by Microsoft as Diamond Sleet and Onyx Sleet. The groups exploited the flaw to drop backdoors and other implants for carrying out a wide range of malicious activities, including cyber espionage, data theft, and financially motivated attacks.
Then in December, APT29 (aka CozyBear, the Dukes, Midnight Blizzard, or Nobelium), the notorious Russian threat group behind the 2020 SolarWinds hack, also pounced on the flaw. In activity tracked by CISA, the FBI, and the NSA, among others, the APT hammered vulnerable servers, using them for initial access to escalate privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments.
Update or Alternative Mitigation Recommended
Hoping to avoid a similar scenario with its latest flaw, JetBrains urged anyone with affected products in their environment to immediately update to the patched version.
If this isn’t possible, JetBrains also released a security patch plugin that’s available for download and can be installed on TeamCity versions 2017.1 through 2023.11.2 that will fix the issue. The company also posted installation instructions online for the plugin to help customers mitigate the issue.
TeamCity stressed however that the security patch plugin will only address the vulnerability and not provide other fixes, so customers are highly recommended to install the latest version of TeamCity On-Premises “to benefit from many other security updates,” Gallo wrote.
Further, if an organization has an affected server that is publicly accessible over the Internet and can’t take either of those mitigation steps, JetBrains recommended that the server is made in accessible until the flaw can be mitigated.
Considering the history of exploitation when it comes to TeamCity bugs, patching is a necessary and crucial first step that organizations need to take to handle the issue, Brian Contos, CSO at Sevco Security, observes. However, given that there could be Internet-facing servers that a company has lost track of, he suggests further steps may need to be taken to more firmly lock down an IT environment.
“It’s hard enough to defend the attack surface you know about, but it becomes impossible when there are vulnerable servers that don’t show up on your IT asset inventory,” Contos says. “Once the patching is taken care of, security teams must turn their attention to a longer-term, more sustainable approach to vulnerability management.”