Advisory February 7, 2024

Critical Vulnerability in JetBrains TeamCity

The Obrela Threat Intelligence Team

Critical Vulnerability in JetBrains TeamCity – CVE-2024-23917

JetBrains has identified a critical authentication bypass flaw, leading to possible RCE, in its TeamCity On-Premises software. TeamCity is a continuous integration and continuous deployment (CI/CD) software solution designed to automate and streamline the software development and delivery process, providing tools for building, testing, and deploying code efficiently. Marked as CVE-2024-23917, with a severity rating of 9.8 out of 10, this vulnerability could be exploited by threat actors to gain administrative control over susceptible instances.

Vulnerability Details:

  • CVE Identifier: CVE-2024-23917
  • Severity: Critical (CVSS 9.8)
  • Description: The flaw allows an unauthenticated attacker with HTTP(S) access to bypass authentication checks and gain administrative control over the TeamCity server.
  • Affected Versions: TeamCity On-Premises versions from 2017.1 through 2023.11.2.

Previous Exploitation Incidents:

  • JetBrains highlighted that there is no evidence of exploitation in the wild. However, a similar flaw (CVE-2023-42793, CVSS score: 9.8) in the past was actively exploited by threat actors, including ransomware gangs and state-sponsored groups from North Korea and Russia.

Mitigation and Fixes:

  • Official Fix: The vulnerability has been addressed in version 2023.11.3.
  • Security Patch Plugin: Users unable to update immediately can apply fixes using a security patch plugin which is provided for users on versions 2017.1 through 2023.11.2.
  • Publicly Accessible Servers: For publicly accessible servers, changing passwords and making the server temporarily inaccessible is recommended if immediate updates are not feasible.

Additional Information:

  • User Verification: JetBrains assures that TeamCity Cloud servers have been patched, and there is no evidence of attacks on them.
  • Threat Landscape: Shadowserver is monitoring over 2,000 exposed TeamCity servers, emphasizing the importance of prompt updates.

References

security alert