JetBrains has patched a important safety vulnerability in its TeamCity On-Premises server that may permit unauthenticated distant attackers to achieve management over an affected server and use it to carry out additional malicious exercise inside a corporation’s surroundings.
TeamCity is a software program growth lifecycle (SDLC) administration platform that about 30,000 organizations — together with a number of main manufacturers like Citibank, Nike, and Ferrari — use to automate processes to construct, check, and deploy software program. As such, it is residence to scores of information that may be helpful to attackers, together with supply code and signing certificates, and in addition may permit for tampering with compiled variations software program or deployment processes.
The flaw, tracked as CVE-2024-23917, presents the weak spot CWE-288, which is an authentication bypass utilizing an alternate path or channel. JetBrains recognized the flaw on Jan. 19; it impacts all variations from 2017.1 via 2023.11.2 of its TeamCity On-Premises steady integration and supply (CI/CD) server.
“If abused, the flaw could allow an unauthenticated attacker with HTTP(S) entry to a TeamCity server to bypass authentication checks and acquire administrative management of that TeamCity server,” TeamCity’s Daniel Gallo wrote in a weblog publish detailing CVE-2024-23917, revealed earlier this week.
JetBrains already has launched an replace that addresses the vulnerability, TeamCity On-Premises model 2023.11.3, and in addition patched its personal TeamCity Cloud servers. The corporate additionally verified that its personal servers weren’t attacked.
TeamCity’s Historical past of Exploitation
Certainly, TeamCity On-Premises flaws are to not be taken evenly, because the final main flaw found within the product spurred a worldwide safety nightmare when varied state-sponsored actors focused it to interact in a variety of malicious habits.
In that case, a public proof-of-concept (PoC) exploit for a important distant code execution (RCE) bug tracked as CVE-2023-42793 — discovered by JetBrains and patched final Sept. 30 — triggered close to fast exploitation by two North Korean state-backed risk teams tracked by Microsoft as Diamond Sleet and Onyx Sleet. The teams exploited the flaw to drop backdoors and different implants for finishing up a variety of malicious actions, together with cyber espionage, information theft, and financially motivated assaults.
Then in December, APT29 (aka CozyBear, the Dukes, Midnight Blizzard, or Nobelium), the infamous Russian risk group behind the 2020 SolarWinds hack, additionally pounced on the flaw. In exercise tracked by CISA, the FBI, and the NSA, amongst others, the APT hammered susceptible servers, utilizing them for preliminary entry to escalate privileges, transfer laterally, deploy extra backdoors, and take different steps to make sure persistent and long-term entry to the compromised community environments.
Replace or Different Mitigation Advisable
Hoping to keep away from the same situation with its newest flaw, JetBrains urged anybody with affected merchandise of their surroundings to instantly replace to the patched model.
If this is not doable, JetBrains additionally launched a safety patch plugin that is out there for obtain and may be put in on TeamCity variations 2017.1 via 2023.11.2 that may repair the difficulty. The corporate additionally posted set up directions on-line for the plugin to assist clients mitigate the difficulty.
TeamCity confused nevertheless that the safety patch plugin will solely tackle the vulnerability and never present different fixes, so clients are extremely really useful to put in the newest model of TeamCity On-Premises “to learn from many different safety updates,” Gallo wrote.
Additional, if a corporation has an affected server that’s publicly accessible over the Web and might’t take both of these mitigation steps, JetBrains really useful that the server is made in accessible till the flaw may be mitigated.
Contemplating the historical past of exploitation with regards to TeamCity bugs, patching is a vital and essential first step that organizations have to take to deal with the difficulty, Brian Contos, CSO at Sevco Safety, observes. Nonetheless, provided that there could possibly be Web-facing servers that an organization has misplaced monitor of, he suggests additional steps could must be taken to extra firmly lock down an IT surroundings.
“It is onerous sufficient to defend the assault floor you realize about, but it surely turns into unattainable when there are susceptible servers that do not present up in your IT asset stock,” Contos says. “As soon as the patching is taken care of, safety groups should flip their consideration to a longer-term, extra sustainable strategy to vulnerability administration.”
