A critical severity authentication bypass vulnerability in the on-premise version of JetBrains’s TeamCity continuous integration/continuous delivery (CI/CD) solution is now under mass exploitation.
The flaw, designated CVE-2024-27198, is being leveraged by various threat actors to create administrator accounts on unpatched TeamCity instances exposed to the internet, providing full control over all the projects, builds, agents, and artifacts contained on the server.
Risk management made easy.
Pinpoint cybersecurity vulnerabilities and other risks to your business with a personalized attack surface report.
Get your ASR
According to one cybersecurity researcher, 1,700 TeamCity instances have still not been updated, and as many as 1,440 of those have been compromised, providing threat actors with sensitive details such as credentials and source code.
Source: Bleeping Computer
Analysis
The quick mass exploitation of this vulnerability highlights threat actors’ interest in compromising CI/CD solutions used by developers to automate the development and deployment of software products.
Since these servers usually contain source code related to various projects, their compromise could lead to potential supply chain attacks if malicious code inserted by threat actors goes undetected and is subsequently installed by users. Additionally, sophisticated threat actors with access to source code can identify zero-day vulnerabilities for future exploitation.
It would appear that the administrators of the identified unpatched TeamCity servers were not quick enough to apply the appropriate updates to mitigate the vulnerability. Administrators must maintain a high patching cadence for these types of solutions, especially if they are exposed to the internet.
Given the many systems and devices administrators have to keep track of, administrators should consider adopting a service that automatically notifies when vulnerable software and appliances are detected in their environment. This saves valuable time and significantly reduces the chance threat actors have to target vulnerable systems before they are patched.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software like TeamCity. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities. Covalence users have been automatically notified via the Covalence Portal if a vulnerable version of TeamCity was detected in their environment.
Field Effect strongly encourages all other users of affected on-premise TeamCity deployments to install the latest security patch as soon as possible per JetBrains' advisory.
Related articles
