JetBrains has urged users of its on-premises TeamCity software development platform manager to immediately patch a pair of authentication bypass vulnerabilities, one of which is rated critical.
If left unpatched the critical bug could allow attackers to compromise TeamCity servers and carry out unauthorized remote code execution (RCE).
JetBrains patched another critical authentication bypass vulnerability a month ago that was discovered in January.
The new bugs are tracked as CVE-2024-27198, an alternative path weakness with a CVSS v3 score of 9.8, and CVE-2024-27199, a path traversal weakness with a CVSS score of 7.3.
“If abused, the flaws may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass the authentication checks and gain administrative control of the TeamCity server,” TeamCity solutions engineer Daniel Gallo said in a March 4 post.
The vulnerabilities affect all on-premises versions of TeamCity up to 2023.11.3 and have been fixed in the latest version, 2023.11.4, which all users were urged to update to.
In the post, Gallo said users of the cloud version of the product were not affected because the vendor had patched its cloud servers and verified that they weren’t attacked.
TeamCity manages organizations’ Continuous Integration and Continuous Deployment (CI/CD) software development pipeline — the process of building, testing and deploying code. The platform is used by about 30,000 organizations.
The latest bugs were discovered last month by Rapid7 principal security researcher Stephen Fewer.
CVE-2024-27198, the critical severity bug, “allows for a complete compromise of a vulnerable TeamCity server by a remote unauthenticated attacker, including unauthenticated RCE, as demonstrated via our exploit,” Rapid7 said in a March 4 post.
“The second vulnerability, CVE-2024-27199 (with a high severity rating), allows for a limited amount of information disclosure and a limited amount of system modification,” the Rapid7 researchers said.
The potential system modification activity included the ability for an unauthenticated attacker to replace the HTTPS certificate in a vulnerable TeamCity server with a certificate of the attacker's choosing.
“Compromising a TeamCity server allows an attacker full control over all TeamCity projects, builds, agents and artifacts, and as such is a suitable vector to position an attacker to perform a supply chain attack,” Rapid7 said in its post.
U.S. and international security and law enforcement agencies explained more about why threat groups found TeamCity servers an attractive target in a joint advisory published in December.
“If compromised, access to a TeamCity server would provide malicious actors with access to that software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes — access a malicious actor could further use to conduct supply chain operations,” the agencies said.
In the advisory, the agencies warned that threat actor APT29 (a Russian military intelligence-backed gang also known as Cozy Bear, Midnight Blizzard and Nobelium) had infiltrated TeamCity servers via another critical vulnerability. The same bug, another authentication bypass vulnerability leading to RCE (tracked as CVE-2023-42793) had also previously been exploited by the North Korean nation-state threat actors Diamond Sleet and Onyx Sleet in October, in campaigns discovered by Microsoft.
