Tech Stack: JetBrains TeamCity
Date(s) Issued: Published: September 6, 2023; Last Updated: October 18, 2023
Criticality: CVSS Score: 9.8 (Critical)
Overview: CVE-2023-42793 is a critical authentication bypass vulnerability affecting on-premises instances of JetBrains TeamCity versions prior to 2023.05.4. Exploitation of this vulnerability allows unauthenticated remote attackers to execute arbitrary code on the TeamCity server, potentially gaining administrative control. This poses significant risks, including unauthorized access to source code, credentials, and the possibility of injecting malicious code into software build processes. Notably, threat actors such as the Russian Foreign Intelligence Service (SVR) and North Korean groups have been observed exploiting this vulnerability since late 2023.
Solution/Mitigation:
- Immediate Upgrade:
- Action: Upgrade your TeamCity server to version 2023.05.4 or the latest available version.
- Details: This version addresses the authentication bypass vulnerability. Download the latest distribution from the official JetBrains website and follow the provided upgrade instructions.
- Security Patch Plugin (Temporary Measure):
- Action: If an immediate upgrade is not feasible, apply the security patch plugin provided by JetBrains.
- Details: This plugin mitigates CVE-2023-42793 and is compatible with TeamCity versions 8.0 through 2023.05.3. Note that for versions older than 2019.2, a server restart is required after applying the plugin.
- Restrict Public Access:
- Action: Ensure that your TeamCity server is not publicly accessible over the internet.
- Details: If the server must be accessible externally, implement strict access controls, such as IP whitelisting or VPN requirements, to limit exposure.
- Post-Mitigation Actions:
- Action: Conduct a thorough security audit of your TeamCity environment.
- Details: Given reports of active exploitation, it’s crucial to check for signs of compromise, such as unauthorized user accounts, unexpected scheduled tasks, or unfamiliar files and processes. Refer to Microsoft’s Indicators of Compromise (IOCs) for guidance.
- Continuous Monitoring:
- Action: Implement ongoing monitoring of your TeamCity server and associated infrastructure.
- Details: Utilize security tools to detect unusual activities, such as unexpected network connections or processes, and regularly review logs for anomalies.
Confirmation & Additional Information:
CISA Advisory on SVR Exploitation: CISA
Verification: After applying the upgrade or patch, verify the implementation by accessing the TeamCity web UI and ensuring the version reflects the update. Additionally, monitor the server for any signs of persistent threats.
Stay Informed: Regularly check official JetBrains communications and reputable cybersecurity sources for updates related to TeamCity and associated security advisories.
Resources:
JetBrains Blog on CVE-2023-42793: The JetBrains Blog
Microsoft Threat Intelligence on Exploitation: Microsoft
