On March 4th, 2024, the Czech software development tools company JetBrains1 warned users of two vulnerabilities in its TeamCity CI\CD platform. CVE-2024-27198 and CVE-2024-27199 impact TeamCity on-premises versions through 2023.11.3 and were patched in version 2023.11.4.
Despite a rather swift response by JetBrains, several proofs of concept were made publicly available almost simultaneously with the publication of the vulnerabilities and their fixes. It was not a big surprise, then, that it only took a few days after the publication of CVE-2024-27198 before it was exploited in the wild. The US Cybersecurity and Infrastructure Security Agency (CISA) has since added it to its Known Exploited Vulnerabilities (KEV)2 catalog. Although CVE-2024-27199 was not added to CISA’s KEV catalog, it has likely also been exploited.
The vulnerabilities
The most severe of the two vulnerabilities is CVE-2024-27198; it received a CVSS v3 score of 9.8 (Critical). The other vulnerability, CVE-2024-27199, received a CVSS v3 score of 7.3 (High). Here’s what we know:
CVE-2024-27198 is an authentication bypass vulnerability in the web component of TeamCity. This flaw enables remote attackers to obtain administrative privileges on the affected system. According to the Rapid73 research team that discovered it, this could lead to “a complete compromise of a vulnerable TeamCity server, including unauthenticated RCE.” Once compromised, attackers could leverage their control of the targeted products to perform actions as far-reaching as a supply chain attack.
CVE-2024-27199 is also an authentication bypass vulnerability in the web component of TeamCity. It results from a path traversal issue that could allow remote attackers to gain limited privileges on the affected system. Although considered less severe, it still could allow remote, unauthenticated attackers to modify some settings on the affected system and access sensitive information.
Research conducted by TrendMicro4 revealed that threat actors have taken advantage of the flaws to infect vulnerable systems with various malware such as ransomware, cryptocurrency miners, and remote access trojans (RAT
Current solution
JetBrains encourages all the users of TeamCity on-premises versions to upgrade their servers to version 2023.11.4. Users who cannot update their environments are suggested to download a security patch plugin as instructed in the company’s advisory.
JetBrains patched all versions of TeamCity Cloud and made sure none were attacked.