JetBrains has patched a critical security vulnerability in its TeamCity On-Premises server that could allow unauthenticated, remote attackers to gain control over an affected server and use it to execute further malicious activities within an organization’s environment.
TeamCity is a software development lifecycle (SDLC) management platform that approximately 30,000 organizations, including several major brands such as Citibank, Nike, and Ferrari, use to automate their software creation, testing, and deployment processes. As such, it hosts numerous data that can be useful to attackers, including source code and signing certificates, and could also allow tampering with compiled versions of software or distribution processes.
The defect, traced as CVE-2024-23917presents weakness CWE-288, which is an authentication bypass that uses an alternate path or channel. JetBrains identified the flaw on January 19; affects all versions 2017.1 through 2023.11.2 of the TeamCity On-Premises continuous integration and deployment (CI/CD) server.
“If abused, the flaw could allow an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication controls and gain administrative control of that TeamCity server,” wrote TeamCity’s Daniel Gallo. in a blog post detailing CVE-2024-23917, released earlier this week.
JetBrains has already released an update that addresses the TeamCity On-Premises vulnerability version 2023.11.3and has also patched its TeamCity Cloud servers. The company also verified that its servers had not been attacked.
The history of TeamCity exploitation
Indeed, the flaws in TeamCity On-Premises are not to be taken lightly, as the latest major flaw discovered in the product has sparked a global security nightmare when various state-sponsored actors have targeted it to undertake a series of harmful behaviors.
In that case, a public Proof-of-Concept (PoC) exploit for a critical remote code execution (RCE) bug tracked as CVE-2023-42793 – found by JetBrains and patched last September 30 – triggered almost immediate exploitation by two North Korean state-backed threat groups monitored by Microsoft such as Diamond Sleet and Onyx Sleet. The groups exploited the flaw to eliminate backdoors and other facilities to carry out a wide range of malicious activities, including cyber espionage, data theft and financial attacks.
Then in December, APT29 (aka CozyBear, the Dukes, Midnight stormor Nobelium), the infamous Russian menacing group also behind the 2020 SolarWinds hack he pounced on the flaw. In activities monitored by CISA, FBI, and NSA, among others, the APT targeted vulnerable servers, using them for initial access to escalate privileges, move laterally, implement additional backdoors, and take other measures to ensure long-term, persistent access. term. to compromised network environments.
Upgrade or alternative mitigation is recommended
Hoping to avoid a similar scenario with its latest flaw, JetBrains urged anyone with affected products in their environment to update to the patched version immediately.
If this is not possible, JetBrains has also released a security patch plugin available for download and can be installed on TeamCity versions 2017.1 to 2023.11.2 that will resolve the issue. The company too published installation instructions online for the plugin to help customers mitigate the issue.
TeamCity stressed however that the security patch plugin will only fix the vulnerability and will not provide any other fixes, so customers are strongly advised to install the latest version of TeamCity On-Premises “to benefit from many more security updates” , Gallo wrote.
Additionally, if an organization has an affected server that is publicly accessible on the Internet and cannot take any of these mitigation measures, JetBrains recommends making the server accessible until the flaw has been mitigated.
Given TeamCity’s history of exploiting bugs, patching is a necessary and crucial first step organizations must take to manage the issue, notes Brian Contos, CSO at Sevco Security. However, given that there may be servers connected to the Internet that a company has lost track of, he suggests that additional steps may be needed to more securely lock down an IT environment.
“It’s hard enough to defend the attack surface you know, but it becomes impossible when there are vulnerable servers that don’t show up in the IT asset inventory,” Contos says. “Once patches are resolved, security teams need to turn their attention to a more sustainable, long-term approach to vulnerability management.”