Critical vulnerabilities in TeamCity JetBrains fixed, release of technical details imminent, patch quickly! (CVE-2024-27198, CVE-2024-27199)

JetBrains has fixed two critical security vulnerabilities (CVE-2024-27198, CVE-2024-27199) affecting TeamCity On-Premises and is urging customers to patch them immediately.

“Rapid7 originally identified and reported these vulnerabilities to us and has chosen to adhere strictly to its own vulnerability disclosure policy. This means that their team will publish full technical details of these vulnerabilities and their replication steps within 24 hours of this notice,” the company stated today.

This also means that proof-of-concept and full exploits are likely to surface and be leveraged quickly.

About the vulnerabilities (CVE-2024-27198, CVE-2024-27199)

TeamCity by JetBrains is a continuous integration and continuous delivery (CI/CD) server, vulnerabilities in which have lately been exploited by Russian and North Korean state-sponsored attackers.

CVE-2024-27198 and CVE-2024-27199 may allow attackers to bypass authentication by using an alternate path or channel (CWE-288) and to traverse the file system to access files/directories outside of the restricted directory (CWE-23).

“The vulnerabilities may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server,” the company warns.

They affect all TeamCity On-Premises versions through 2023.11.3, and have been fixed in version version 2023.11.4.

“TeamCity Cloud servers have already been patched, and we have verified that they weren’t attacked,” the company reassured.

Update, patch, or take your server off the internet

Customers are advised to upgrade to the fixed version (either manually or by using the automatic update option within the solution) or to apply the security patch plugin – compatible with all TeamCity versions – if they can’t upgrade their servers to v2023.

“JetBrains’ policy typically involves withholding technical details of vulnerabilities for a longer period of time after a release to ensure thorough mitigation; however, this accelerated timeline necessitates an immediate server upgrade or patching to prevent exploitation,” the company added.

“If your server is publicly accessible over the internet, and you are unable to immediately perform one of the mitigation steps described below, we strongly recommend making your server inaccessible until mitigation actions have been completed.”

UPDATE (March 4, 2024, 04:10 p.m. ET):

The vulnerabilities were discovered by Stephen Fewer, Principal Security Researcher at Rapid7.

The company has published technical details about the two vulnerabilities – both allowing attackers to bypass authentication.

CVE-2024-27198 may allow remote unauthenticated attackers to compromise a vulnerable TeamCity server and gain control over all projects, builds, agents and artifacts associated with the server, by creating a new administrator user or by generating a new administrator access token.

This makes the vulnerability ideal for mounting supply chain attacks.

“The second vulnerability, CVE-2024-27199, allows for a limited amount of information disclosure and a limited amount of system modification, including the ability for an unauthenticated attacker to replace the HTTPS certificate in a vulnerable TeamCity server with a certificate of the attacker’s choosing,” the company said.

“An attacker could perform a denial of service against the TeamCity server by either changing the HTTPS port number to a value not expected by clients, or by uploading a certificate that will fail client side validation. Alternatively, an attacker with a suitable position on the network may be able to perform either eavesdropping or a man-in-the-middle attack on client connections, if the certificate the attacker uploads (and has a private key for) will be trusted by the clients.”

UPDATE (March 5, 2024, 07:25 a.m. ET):

The Shadowserver Foundation says it “started seeing exploitation activity for CVE-2024-27198 around Mar 4th 22:00 UTC,” from 16 IPs.

UPDATE (March 7, 2024, 04:15 a.m. ET):

LeakIX is seeing massive exploitation of CVE-2024-27198. “Hundreds of users are created for later use across the Internet,” the project says.

“1711 vulnerable instances were found during our last scan, 1442 show clear signs of rogue user creation. If you were/are still running a vulnerable system, assume compromise,” they added.

There are also reports of exploitation followed up “by deployments of (suspected modified) Jasmin Ransomware.”