Critical JetBrains TeamCity On-Premises Flaws Could Lead to Server Takeovers
5.3.24 Exploit The Hacker News
A new pair of security vulnerabilities have been disclosed in JetBrains TeamCity On-Premises software that could be exploited by a threat actor to take control of affected systems.
The flaws, tracked as CVE-2024-27198 (CVSS score: 9.8) and CVE-2024-27199 (CVSS score: 7.3), have been addressed in version 2023.11.4. They impact all TeamCity On-Premises versions through 2023.11.3.
"The vulnerabilities may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server," JetBrains said in an advisory released Monday.
TeamCity Cloud instances have already been patched against the two flaws. Cybersecurity firm Rapid7, which discovered and reported the issues on February 20, 2024, said CVE-2024-27198 is a case of authentication bypass that allows for a complete compromise of a susceptible server by a remote unauthenticated attacker.
"Compromising a TeamCity server allows an attacker full control over all TeamCity projects, builds, agents and artifacts, and as such is a suitable vector to position an attacker to perform a supply chain attack," the company noted.
CVE-2024-27199, also an authentication bypass flaw, stems from a path traversal issue that can permit an unauthenticated attacker to replace the HTTPS certificate in a vulnerable TeamCity server with a certificate of their choosing via the "/app/https/settings/uploadCertificate" endpoint and even alter the port number the HTTPS service listens on.
A threat actor could leverage the vulnerability to perform a denial-of-service against the TeamCity server by either changing the HTTPS port number, or by uploading a certificate that will fail client-side validation. Alternatively, the uploaded certificate could be used for adversary-in-the-middle scenarios if it's trusted by the clients.
"This authentication bypass allows for a limited number of authenticated endpoints to be reached without authentication," Rapid7 said of the shortcoming.
"An unauthenticated attacker can leverage this vulnerability to both modify a limited number of system settings on the server, as well as disclose a limited amount of sensitive information from the server."
The development comes nearly a month after JetBrains released fixes to contain another flaw (CVE-2024-23917, CVSS score: 9.8) that could also enable an unauthenticated attacker to gain administrative control of TeamCity servers.
With security vulnerabilities in JetBrains TeamCity having come under active exploitation last year by North Korean and Russian threat actors, it's essential that users take steps to update their servers immediately.