Tech Stack: JetBrains TeamCity
Date(s) Issued: Published: March 4, 2024; Last Updated: November 29, 2024
Criticality: CVSS Score: 9.8 (Critical)
Overview: CVE-2024-27198 is a critical authentication bypass vulnerability affecting JetBrains TeamCity versions prior to 2023.11.4. This flaw allows unauthenticated remote attackers to perform administrative actions on the TeamCity server, potentially leading to unauthorized access to source code, credentials, and the injection of malicious code into software build processes. The vulnerability has been actively exploited since its disclosure, with reports of attackers creating numerous rogue administrative accounts on vulnerable servers.
Solution/Mitigation:
- Immediate Upgrade:
- Action: Upgrade your TeamCity server to version 2023.11.4 or the latest available version.
- Details: This version addresses the authentication bypass vulnerability. Download the latest distribution from the official JetBrains website and follow the provided upgrade instructions.
- Security Patch Plugin (Temporary Measure):
- Action: If an immediate upgrade is not feasible, apply the security patch plugin provided by JetBrains.
- Details: This plugin mitigates CVE-2024-27198 and is compatible with TeamCity versions up to 2023.11.3. Note that for versions older than 2018.2, a server restart is required after applying the plugin.
- Restrict Public Access:
- Action: Ensure that your TeamCity server is not publicly accessible over the internet.
- Details: If external access is necessary, implement strict access controls, such as IP whitelisting or VPN requirements, to minimize exposure.
- Post-Mitigation Actions:
- Action: Conduct a comprehensive security audit of your TeamCity environment.
- Details: Given the active exploitation of this vulnerability, it’s crucial to check for signs of compromise, such as unauthorized user accounts, unexpected scheduled tasks, or unfamiliar files and processes.
Resources:
NVD Entry for CVE-2024-27198: NVD
JetBrains Security Bulletin: The JetBrains Blog
CISA Advisory on CVE-2024-27198: CISA
Rapid7 Analysis and Recommendations: Rapid7
