This blog post serves as a critical alert for users of JetBrains TeamCity, a widely used CI/CD server. Two recently discovered vulnerabilities, CVE-2024-27198 and CVE-2024-27199, pose a significant threat to the security of your CI/CD pipeline. These vulnerabilities allow attackers to bypass authentication and gain unauthorized access to your server, potentially leading to data breaches, malware deployment, and disruption of your development process.

This post aims to provide a comprehensive understanding of these vulnerabilities, their impact, and the necessary steps you should take to mitigate the risks. By understanding the nature of these vulnerabilities and taking immediate action, you can safeguard your TeamCity server and ensure the smooth functioning of your CI/CD pipeline.

Understanding the Vulnerabilities: CVE-2024-27198 and CVE-2024-27199 in JetBrains TeamCity

Two critical vulnerabilities, CVE-2024-27198 and CVE-2024-27199, were identified in JetBrains TeamCity, a popular CI/CD server. These vulnerabilities allow attackers to bypass authentication and gain unauthorized access to your server, potentially leading to severe consequences.

1. Explanation of the Vulnerabilities:

• CVE-2024-27198 (Critical, CVSS score: 9.8): This vulnerability exists due to an alternative path issue in the TeamCity web component (CWE-288). Attackers can exploit this issue to bypass authentication checks and gain full administrative control over the server, including the ability to execute arbitrary code (RCE).
• CVE-2024-27199 (High, CVSS score: 7.3): This vulnerability arises from a path traversal issue within the web component (CWE-22). While not as severe as CVE-2024-27198, it still allows attackers to bypass authentication and potentially gain unauthorized access to sensitive information or launch denial-of-service (DoS) attacks.

2. Bypassing Authentication:

Both vulnerabilities exploit weaknesses in how TeamCity handles user input and validates access requests. This allows attackers to bypass the usual authentication process and gain unauthorized access to the server.

• In CVE-2024-27198, attackers can manipulate specific URLs to access functionalities typically requiring administrative privileges.
• In CVE-2024-27199, attackers can potentially navigate to unauthorized directories on the server, potentially revealing sensitive information or disrupting server functions.

3. Severity Levels:

The Common Vulnerability Scoring System (CVSS) assigns severity levels based on the potential impact of a vulnerability.

• CVE-2024-27198 is rated critical (CVSS score: 9.8) due to its ability to grant attackers complete control over the server, allowing them to steal data, deploy malware, or launch further attacks.
• CVE-2024-27199 is rated high (CVSS score: 7.3) as it still allows unauthorized access and can potentially disrupt server operations or expose sensitive information.

CVE-2024-27198: Complete Compromise of TeamCity:

CVE-2024-27198 is a critical vulnerability in JetBrains TeamCity that exposes a severe authentication bypass flaw. This section delves deeper into the vulnerability, exploring how attackers can exploit it, the potential consequences, and a demonstration (without providing details) of the exploit’s capabilities.

1. Gaining Full Control: Attacker’s Perspective:

This vulnerability, stemming from an alternative path issue (CWE-288), allows an unauthenticated attacker to bypass the usual login process and gain complete control over a vulnerable TeamCity server. Here’s a simplified breakdown of the attack:

• The attacker identifies a specific path within the TeamCity web component that is vulnerable to manipulation.
• By crafting a specially crafted URL containing this vulnerable path, the attacker can exploit the flaw in how TeamCity handles user input and bypass authentication checks.
• Once past the authentication barrier, the attacker has unrestricted access to the server’s functionalities, including:
  • Creating new administrative users: This allows the attacker to establish permanent control over the server.
  • Generating new administrator access tokens: These tokens can be used to maintain access even after restarting the server.
  • Executing arbitrary code (RCE): This grants the attacker the highest level of control, enabling them to steal data, deploy malware, or disrupt critical server functions.

2. Real-World Implications and Risks:

The consequences of this vulnerability can be devastating for organizations using TeamCity. Here are some potential risks:

• Data Breaches: Attackers can access sensitive data stored on the TeamCity server, including source code, build artifacts, and potentially even user credentials.
• Deployment of Malware: Attackers can inject malicious code into builds, potentially compromising the entire software development pipeline and infecting downstream systems.
• Disruption of CI/CD Pipeline: Attackers can manipulate or even disable the CI/CD workflow, causing delays, inconsistencies, and hindering development efforts.
• Supply Chain Attacks: Due to the potential for compromising builds, this vulnerability creates a significant risk for organizations using TeamCity in their software supply chain, potentially impacting downstream deployments.

3. Demonstration of Remote Code Execution (RCE) (without providing details):

While we cannot disclose the specific exploit details to prevent malicious actors from exploiting the vulnerability, it’s important to understand that successful exploitation can lead to RCE. This means attackers can execute arbitrary code on the server, granting them complete control over the system and its resources.

CVE-2024-27199: HTTPS Certificate Replacement:

While not as critical as CVE-2024-27198, CVE-2024-27199 still poses a significant security risk. This vulnerability allows attackers to tamper with the server’s HTTPS certificate, potentially compromising the integrity of communication and damaging user trust.

1. Limited Information Disclosure and System Modification:

This vulnerability, classified as a path traversal vulnerability (CWE-22), grants attackers the ability to:

• Gain limited access to the server’s file system: This allows them to potentially read and potentially modify specific files, depending on the server’s configuration and access controls.
• Replace the HTTPS certificate: This is the vulnerability’s most critical aspect. By replacing the legitimate certificate with a self-signed or malicious certificate, attackers can intercept communication between the server and clients.

2. Replacing the HTTPS Certificate: Attacker’s Strategy:

An attacker exploiting this vulnerability could follow these steps:

• Identify a way to exploit the path traversal flaw and gain access to a directory containing the server’s SSL/TLS certificates.
• Replace the legitimate certificate with a self-signed certificate issued by the attacker.
• When users connect to the server, their browsers will display warnings about the untrusted certificate. However, some users might bypass these warnings, unknowingly establishing an insecure connection.

3. Implications for Security and Trust:

A compromised HTTPS certificate poses several security risks:

• Man-in-the-Middle (MitM) Attacks: By intercepting encrypted communication, attackers can steal sensitive information, inject malware, or tamper with data in transit.
• Breach of Trust: Users rely on valid HTTPS certificates to ensure they are communicating with the intended server and not a malicious imposter. A compromised certificate undermines this trust and increases the risk of falling victim to phishing attacks.

Impact and Supply Chain Risks:

The recently discovered vulnerabilities in JetBrains TeamCity, CVE-2024-27198 and CVE-2024-27199, pose a significant threat not just to individual servers but also carry wider implications for the software development ecosystem, particularly regarding supply chain attacks.

1. Discussing the Broader Impact:

These vulnerabilities can have a cascading impact beyond the immediate compromise of a single TeamCity server. Here are some key aspects to consider:

• Data Breaches and Exfiltration: Attackers can access sensitive information stored on the server, including source code, build artifacts, and potentially even user credentials. This stolen information can be used for further attacks or sold on the black market.
• Deployment of Malicious Code: By exploiting these vulnerabilities, attackers can inject malicious code into builds, potentially compromising the entire software development pipeline and infecting downstream systems. This can have a widespread impact, affecting users and potentially leading to significant financial losses.
• Disruption of Development Processes: Attackers can manipulate or even disable the CI/CD workflow, causing delays, inconsistencies, and hindering development efforts. This can significantly slow down the development process and impact project timelines.

2. Supply Chain Attack Potential:

The potential for compromising builds through these vulnerabilities creates a significant risk for organizations using TeamCity in their software supply chain. Attackers could exploit these vulnerabilities to introduce malicious code into builds, which would then be unknowingly deployed to downstream systems. This can have a devastating impact, potentially affecting a large number of users and exposing them to various security risks.

3. Why Securing TeamCity Servers is Crucial:

Given the potential consequences, it’s crucial to prioritize the security of TeamCity servers. Here are some reasons why:

• Protecting Sensitive Information: TeamCity servers often store sensitive data related to development projects. Securing these servers is essential to prevent unauthorized access and data breaches.
• Maintaining Software Integrity: Compromised builds can have far-reaching consequences. By securing TeamCity servers, organizations can ensure the integrity of their software and protect their users and downstream systems.
• Ensuring Supply Chain Security: In today’s interconnected development environment, securing TeamCity servers plays a vital role in safeguarding the software supply chain and preventing the spread of malicious code.

Remediation and Upgrading:

Following the discovery of CVE-2024-27198 and CVE-2024-27199, JetBrains promptly released TeamCity 2023.11.4, effectively patching both vulnerabilities. This section emphasizes the urgency of updating your server and provides guidance on the upgrade process.

1. JetBrains’ Response and TeamCity 2023.11.4:

JetBrains acknowledged the vulnerabilities and released TeamCity 2023.11.4 on March 3, 2024. This critical update addresses both CVE-2024-27198 and CVE-2024-27199, eliminating the exploitation pathways and restoring the security of your TeamCity server.

2. Urgency for Immediate Server Updates:

It is strongly recommended to update your TeamCity server to version 2023.11.4 immediately. Delaying the update leaves your server vulnerable to potential exploitation, exposing your data, software integrity, and potentially your entire software supply chain to significant risks.

3. Upgrading and Protecting Your Server:

Upgrading to TeamCity 2023.11.4 is a straightforward process. JetBrains provides detailed upgrade instructions on their website https://www.jetbrains.com/help/teamcity/upgrading-teamcity-server-and-agents.html.

Here are some key steps to remember:

• Back up your TeamCity server data before initiating the upgrade process.
• Download the appropriate TeamCity 2023.11.4 installer based on your operating system.
• Follow the upgrade instructions meticulously, ensuring a smooth and successful update.

4. Additional Protection Measures:

While patching is crucial, consider implementing additional security measures to further protect your TeamCity server:

• Enforce strong password policies for all users and regularly rotate passwords.
• Restrict access to the server to authorized personnel only.
• Implement a layered security approach that includes firewalls, intrusion detection systems, and regular vulnerability scanning.
• Stay informed about the latest security threats and vulnerabilities, and apply patches promptly when available.

By taking immediate action to update your TeamCity server and implementing these additional security measures, you can significantly reduce the risk of exploitation and ensure the continued security and integrity of your software development process.

Remember, addressing these authentication bypass vulnerabilities promptly is essential to safeguard your TeamCity infrastructure!
At Maagsoft Inc, we are your trusted partner in the ever-evolving realms of cybersecurity, AI innovation, and cloud engineering. Our mission is to empower individuals and organizations with cutting-edge services, training, and AI-driven solutions. Contact us at contact@maagsoft.com to embark on a journey towards fortified digital resilience and technological excellence.