JetBrains has patched a important safety vulnerability in its TeamCity On-Premises server that may permit unauthenticated distant attackers to realize management over an affected server and use it to carry out additional malicious exercise inside a company’s atmosphere.
TeamCity is a software program growth lifecycle (SDLC) administration platform that about 30,000 organizations — together with a number of main manufacturers like Citibank, Nike, and Ferrari — use to automate processes to construct, take a look at, and deploy software program. As such, it is house to scores of information that may be helpful to attackers, together with supply code and signing certificates, and in addition might permit for tampering with compiled variations software program or deployment processes.
The flaw, tracked as CVE-2024-23917, presents the weak spot CWE-288, which is an authentication bypass utilizing an alternate path or channel. JetBrains recognized the flaw on Jan. 19; it impacts all variations from 2017.1 by means of 2023.11.2 of its TeamCity On-Premises steady integration and supply (CI/CD) server.
“If abused, the flaw could allow an unauthenticated attacker with HTTP(S) entry to a TeamCity server to bypass authentication checks and acquire administrative management of that TeamCity server,” TeamCity’s Daniel Gallo wrote in a weblog publish detailing CVE-2024-23917, printed earlier this week.
JetBrains already has launched an replace that addresses the vulnerability, TeamCity On-Premises model 2023.11.3, and in addition patched its personal TeamCity Cloud servers. The corporate additionally verified that its personal servers weren’t attacked.
TeamCity’s Historical past of Exploitation
Certainly, TeamCity On-Premises flaws are to not be taken calmly, because the final main flaw found within the product spurred a worldwide safety nightmare when varied state-sponsored actors focused it to have interaction in a spread of malicious conduct.
In that case, a public proof-of-concept (PoC) exploit for a important distant code execution (RCE) bug tracked as CVE-2023-42793 — discovered by JetBrains and patched final Sept. 30 — triggered close to rapid exploitation by two North Korean state-backed risk teams tracked by Microsoft as Diamond Sleet and Onyx Sleet. The teams exploited the flaw to drop backdoors and different implants for finishing up a variety of malicious actions, together with cyber espionage, knowledge theft, and financially motivated assaults.
Then in December, APT29 (aka CozyBear, the Dukes, Midnight Blizzard, or Nobelium), the infamous Russian risk group behind the 2020 SolarWinds hack, additionally pounced on the flaw. In exercise tracked by CISA, the FBI, and the NSA, amongst others, the APT hammered susceptible servers, utilizing them for preliminary entry to escalate privileges, transfer laterally, deploy further backdoors, and take different steps to make sure persistent and long-term entry to the compromised community environments.
Replace or Different Mitigation Really helpful
Hoping to keep away from an identical situation with its newest flaw, JetBrains urged anybody with affected merchandise of their atmosphere to instantly replace to the patched model.
If this is not attainable, JetBrains additionally launched a safety patch plugin that is obtainable for obtain and might be put in on TeamCity variations 2017.1 by means of 2023.11.2 that may repair the problem. The corporate additionally posted set up directions on-line for the plugin to assist prospects mitigate the problem.
TeamCity careworn nevertheless that the safety patch plugin will solely tackle the vulnerability and never present different fixes, so prospects are extremely advisable to put in the newest model of TeamCity On-Premises “to profit from many different safety updates,” Gallo wrote.
Additional, if a company has an affected server that’s publicly accessible over the Web and might’t take both of these mitigation steps, JetBrains advisable that the server is made in accessible till the flaw might be mitigated.
Contemplating the historical past of exploitation on the subject of TeamCity bugs, patching is a mandatory and essential first step that organizations must take to deal with the problem, Brian Contos, CSO at Sevco Safety, observes. Nonetheless, provided that there might be Web-facing servers that an organization has misplaced monitor of, he suggests additional steps could must be taken to extra firmly lock down an IT atmosphere.
“It is onerous sufficient to defend the assault floor you recognize about, however it turns into unattainable when there are susceptible servers that do not present up in your IT asset stock,” Contos says. “As soon as the patching is taken care of, safety groups should flip their consideration to a longer-term, extra sustainable method to vulnerability administration.”
