Recently, JetBrains disclosed critical security vulnerabilities in its TeamCity On-Premises software that pose serious risks to users. These vulnerabilities, identified as CVE-2024-27198 with a CVSS score of 9.8, and CVE-2024-27199 with a score of 7.3, were resolved in version 2023.11.4, which affects all TeamCity versions up to 2023.11.3.
The vulnerabilities allow unauthenticated attackers with HTTP(S) access to bypass authentication checks, thus potentially gaining administrative control over the affected TeamCity servers. JetBrains emphasized in their advisory, released on Monday, that this could lead to significant breaches of data integrity and system control.
Instances of TeamCity Cloud have already received necessary patches against these vulnerabilities. According to cybersecurity firm Rapid7, which discovered the issues in February 2024, CVE-2024-27198 enables a remote attacker to completely compromise a vulnerable server through an authentication bypass.
Piracy of a TeamCity server grants an intruder full access to all associated projects, builds, agents, and artifacts, thus presenting a favorable route for executing supply chain attacks, the firm indicated in a recent bulletin. The second vulnerability, CVE-2024-27199, is associated with a path traversal issue, which permits an attacker to upload a malicious HTTPS certificate to the server, potentially changing the HTTPS port number it listens on.
This manipulation could lead to denial-of-service attacks by altering the listening port or uploading a certificate that fails client-side validation, allowing for adversary-in-the-middle scenarios if the malicious certificate is trusted by clients. Rapid7 further remarked on how this vulnerability lets unauthenticated attackers modify a limited set of server settings and disclose sensitive information.
The context of these vulnerabilities raises alarms as they arrive shortly after JetBrains addressed another critical flaw (CVE-2024-23917, CVSS score: 9.8) that similarly allowed unauthorized escalations to administrative control. With historical data indicating active exploitation by North Korean and Russian threat actors, it is crucial for users, especially businesses managing sensitive information, to immediately update their systems.
From a tactical standpoint, attackers may exploit these vulnerabilities through initial access via openly accessible HTTP(S) connections, emphasizing the importance of robust server security protocols. Users should consider strategies encompassing privilege escalation to safeguard against unauthorized administrative access and prevent potential exploits of these kinds of vulnerabilities.
