JetBrains TeamCity vulnerability: How to defend against CVE-2024-27198, CVE-2024-27199

On March 4th, 2024, the Czech software development tools company JetBrains¹ warned users of two vulnerabilities in its TeamCity CI\CD platform. CVE-2024-27198 and CVE-2024-27199 impact TeamCity on-premises versions through 2023.11.3 and were patched in version 2023.11.4.

Despite a rather swift response by JetBrains, several proofs of concept were made publicly available almost simultaneously with the publication of the vulnerabilities and their fixes. It was not a big surprise, then, that it only took a few days after the publication of CVE-2024-27198 before it was exploited in the wild. The US Cybersecurity and Infrastructure Security Agency (CISA) has since added it to its Known Exploited Vulnerabilities (KEV)² catalog. Although CVE-2024-27199 was not added to CISA’s KEV catalog, it has likely also been exploited.

The vulnerabilities

The most severe of the two vulnerabilities is CVE-2024-27198; it received a CVSS v3 score of 9.8 (Critical). The other vulnerability, CVE-2024-27199, received a CVSS v3 score of 7.3 (High). Here’s what we know:

CVE-2024-27198 is an authentication bypass vulnerability in the web component of TeamCity. This flaw enables remote attackers to obtain administrative privileges on the affected system. According to the Rapid7³ research team that discovered it, this could lead to “a complete compromise of a vulnerable TeamCity server, including unauthenticated RCE.” Once compromised, attackers could leverage their control of the targeted products to perform actions as far-reaching as a supply chain attack.

CVE-2024-27199 is also an authentication bypass vulnerability in the web component of TeamCity. It results from a path traversal issue that could allow remote attackers to gain limited privileges on the affected system. Although considered less severe, it still could allow remote, unauthenticated attackers to modify some settings on the affected system and access sensitive information.

Research conducted by TrendMicro⁴ revealed that threat actors have taken advantage of the flaws to infect vulnerable systems with various malware such as ransomware, cryptocurrency miners, and remote access trojans (RAT

Current solution

JetBrains encourages all the users of TeamCity on-premises versions to upgrade their servers to version 2023.11.4. Users who cannot update their environments are suggested to download a security patch plugin as instructed in the company’s advisory.

JetBrains patched all versions of TeamCity Cloud and made sure none were attacked.

How Skybox helps

The Skybox Research Lab added the vulnerabilities to our threat intelligence feed shortly after the discovery was made public. Once discovered to be exploited in the wild, their status in the feed was changed accordingly.

The vulnerabilities’ statuses and any subsequent changes are weighed and updated into the comprehensive Skybox risk score. This method considers multiple risk factors, enabling users to identify and understand the riskiest vulnerabilities and assets in their organization in a simplified and direct manner to make the best remediation decisions.

In this case, Skybox customers define the importance of JetBrains TeamCity in the organizational network. Based on this importance and other factors, including the general CVSS score for CVE-2024-27198 and CVE-2024-27199, the security team of the organization is provided with a customized risk score. This score helps them to make an informed decision about the best way to protect the organization.

Skybox threat intelligence offers valuable insights on potential threats and recommends ways to mitigate them effectively. It prescribes compensating security controls, such as an IPS signature or firewall rule modification, to mitigate exposure risk on the customer’s network.

Citations

1. JetBrains
2. KEV catalog
3. Rapid7
4. TrendMicro