Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Vulnerability Exposes TeamCity Servers to Takeover

A critical authentication bypass in TeamCity allows remote attackers to take full control of vulnerable servers.

JetBrains on Monday released patches for two authentication bypass vulnerabilities in the build management server TeamCity, including a critical-severity flaw leading to full compromise.

Tracked as CVE-2024-27198 (CVSS score of 9.8) and CVE-2024-27199 (CVSS score of 7.3), the security defects impact the web component of TeamCity and exist because of an alternative path and a path traversal issue, respectively.

“If abused, the flaws may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass the authentication checks and gain administrative control of the TeamCity server,” JetBrains notes in its advisory.

According to Rapid7, which identified the bugs, CVE-2024-27198 could allow a remote, unauthenticated attacker to execute arbitrary code and completely compromise the vulnerable server, taking over “all TeamCity projects, builds, agents and artifacts”.

By exploiting the critical-severity issue an attacker could position themselves “to perform a supply chain attack”, Rapid7 explains in a technical writeup.

The security hole is related to TeamCity’s web server, which is exposed over the HTTP port 8111 by default, and which can be configured over HTTPS as well. Due to the way certain requests are handled, an attacker could change a URL to call arbitrary endpoints and create a new administrator user.

“An attacker can craft a URL such that all authentication checks are avoided, allowing endpoints that are intended to be authenticated to be accessed directly by an unauthenticated attacker. A remote unauthenticated attacker can leverage this to take complete control of a vulnerable TeamCity server,” Rapid7 explains.

The high-severity flaw, CVE-2024-27199, does not provide the same level of access to authenticated endpoints but allows an unauthenticated attacker to modify certain settings on the server (such as uploading their own HTTPS certificate) and access sensitive information.

Advertisement. Scroll to continue reading.

“An attacker could perform a denial of service against the TeamCity server by either changing the HTTPS port number to a value not expected by clients, or by uploading a certificate that will fail client-side validation. Alternatively, an attacker with a suitable position on the network may be able to perform either eavesdropping or a man-in-the-middle attack on client connections,” Rapid7 explains.

Both vulnerabilities were addressed with the release of TeamCity version 2023.11.4. JetBrains also released a security patch plugin for customers who cannot upgrade to the latest version.

“All versions of TeamCity On-Premises are affected by these vulnerabilities. Customers of TeamCity Cloud have already had their servers patched, and we have verified that they weren’t attacked,” JetBrains notes.

Given that no backports of the fix are considered at this time, TeamCity On-Premises customers are advised to apply the available patches as soon as possible.

Related: JetBrains Patches Critical Authentication Bypass in TeamCity

Related: Russian Cyberspies Exploiting TeamCity Vulnerability at Scale: Government Agencies

Related: North Korean Hackers Exploiting Recent TeamCity Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Cody Barrow has been appointed the new CEO of threat intelligence company EclecticIQ.

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.