Article Details
Scrape Timestamp (UTC): 2024-02-06 17:31:54.226
Original Article Text
Click to Toggle View
JetBrains warns of new TeamCity auth bypass vulnerability. JetBrains urged customers today to patch their TeamCity On-Premises servers against a critical authentication bypass vulnerability that can let attackers take over vulnerable instances with admin privileges. Tracked as CVE-2024-23917, this critical severity flaw impacts all versions of TeamCity On-Premises from 2017.1 through 2023.11.2 and can be exploited in remote code execution (RCE) attacks that don't require user interaction. "We strongly advise all TeamCity On-Premises users to update their servers to 2023.11.3 to eliminate the vulnerability," JetBrains said. "If your server is publicly accessible over the internet and you are unable to take one of the above mitigation steps immediately, we recommend temporarily making it inaccessible until mitigation actions have been completed." Customers who cannot immediately upgrade can also use a security patch plugin to secure servers running TeamCity 2018.2+ and TeamCity 2017.1, 2017.2, and 2018.1. While the company says that all TeamCity Cloud servers have been patched and there is no evidence they've been attacked, it has yet to reveal if CVE-2024-23917 has been targeted in the wild to hijack Internet-exposed TeamCity On-Premises servers. Shadowserver is tracking more than 2,000 TeamCity servers exposed online, although there is no way to know how many have already been patched. A similar authentication bypass flaw tracked as CVE-2023-42793 was exploited by the APT29 hacking group linked to Russia's Foreign Intelligence Service (SVR) in widespread RCE attacks since September 2023. "By choosing to exploit CVE-2023-42793, a software development program, the authoring agencies assess the SVR could benefit from access to victims, particularly by allowing the threat actors to compromise the networks of dozens of software developers," CISA warned. Several ransomware gangs have exploited the same vulnerability since early October to breach corporate networks. According to Microsoft, the North Korean Lazarus and Andariel hacking groups also used CVE-2023-42793 exploits to backdoor victims' networks, likely in preparation for software supply chain attacks. JetBrains says that more than 30,000 organizations worldwide use TeamCity software building and testing platform, including high-profile companies like Citibank, Ubisoft, HP, Nike, and Ferrari.
Daily Brief Summary
JetBrains has issued a warning about a critical authentication bypass vulnerability, CVE-2024-23917, affecting TeamCity On-Premises servers.
The vulnerability affects all TeamCity On-Premises versions from 2017.1 to 2023.11.2, enabling attackers to potentially execute remote code without user interaction.
Users are strongly encouraged to update their servers to version 2023.11.3 to remedy the security flaw, or temporarily take servers offline if immediate update is not possible.
Alternative security measures include a security patch plugin for users unable to upgrade immediately, applicable to certain older TeamCity versions.
TeamCity Cloud servers have been secured against the flaw, and there is no indication of attacks, although it is unknown how many exposed on-premises servers have been updated.
The vulnerability resembles a prior CVE-2023-42793 flaw exploited by APT29 and other hacking groups, pointing to the risk of widespread RCE attacks and potential software supply chain disruptions.
JetBrains' TeamCity is widely used by over 30,000 organizations globally, including industry giants across various sectors.
Over 2,000 TeamCity servers are currently exposed online, with Shadowserver actively monitoring the situation; the number of secured servers amongst them is not specified.