TeamCity Authentication Bypass Vulnerabilities Addressed (CVE-2024-27198 and CVE-2024-27199)

Recent disclosures have highlighted two vulnerabilities within JetBrains TeamCity, a popular CI/CD server, that pose significant security risks to software development and deployment processes. Identified as CVE-2024-27198 and CVE-2024-27199 , these flaws enable authentication bypass and could lead to unauthorized administrative access or even remote code execution on affected servers.

Overview of TeamCity Vulnerabilities

CVE-2024-27198: Critical Authentication Bypass

CVE-2024-27198 is classified as a critical vulnerability with a CVSS score of 9.8. It stems from an alternate path or channel flaw (CWE-288), allowing attackers to bypass authentication mechanisms. This vulnerability is particularly alarming because it permits remote, unauthenticated attackers to fully compromise the TeamCity server, potentially leading to unauthenticated remote code execution (RCE).

CVE-2024-27199: High Severity Authentication Bypass

The second vulnerability, CVE-2024-27199, has a high severity rating with a CVSS score of 7.3. This vulnerability arises from a path traversal issue (CWE-22), enabling attackers to access or modify system information and replace the HTTPS certificate on the TeamCity server with one of their choosing. Though this vulnerability allows for a limited amount of information disclosure and system modification, its impact is non-negligible, potentially affecting server integrity and confidentiality.

Impact and Mitigations

The exploitation of these vulnerabilities can grant attackers administrative control over all TeamCity projects, builds, agents, and artifacts. This level of access not only compromises the integrity of the software development and deployment pipeline but also opens the door to more sophisticated supply chain attacks.

To address these vulnerabilities, JetBrains has released an update for TeamCity (version 2023.11.4), which patches both CVE-2024-27198 and CVE-2024-27199. It is crucial for organizations running any version of TeamCity prior to 2023.11.4 to upgrade to this latest version or apply the available security patch plugin to mitigate the risks associated with these vulnerabilities.

"This vulnerability bears a striking resemblance to a flaw uncovered in TeamCity a few months prior (CVE-2023-42793), which fell prey to exploitation by North Korean nation-state actors. It appears that Rapid7 has conducted a thorough examination and identified similar bypass methods within TeamCity."

- Olivier Beg, Chief Hacking Officer @ Hadrian

Actionable Recommendations

Immediate Patching: With proofs of concept already published and reports of exploitation attempts, organizations must update their TeamCity installations to version 2023.11.4 as soon as possible.

Awareness and Vigilance: The discovery of these vulnerabilities and the publication of technical details increase the likelihood of exploitation attempts. Organizations must remain vigilant and monitor their systems for signs of compromise.

External Exposure Management: If immediate patching is not feasible, it is recommended to temporarily make TeamCity servers inaccessible from the internet until mitigation actions have been completed. This reduces the risk of exploitation from external attackers.

The disclosure of these vulnerabilities underscores the importance of prompt and proactive security practices in safeguarding critical infrastructure against emerging threats. By staying informed, applying necessary updates, and employing comprehensive exposure management strategies, organizations can protect their assets and maintain the integrity of their CI/CD pipelines. For more detailed information on mitigation strategies and to understand how these vulnerabilities may affect your organization, you can reach out to one of Hadrian’s security expert here.