How to Protect Your TeamCity from CVE-2024-27198 and CVE-2024-27199- Authentication Bypass Vulnerabilities?

In February 2024, Rapid7 discovered two critical authentication bypass vulnerabilities in JetBrains TeamCity, tracked as CVE-2024-27198 (CVSS 9.8) and CVE-2024-27199 (CVSS 7.3). These flaws could allow unauthenticated attackers to gain administrative control over the TeamCity server, potentially leading to complete server compromise and supply chain attacks. Rapid7 disclosed these findings to JetBrains, but the vendor released a fix without coordinating with Rapid7. In this blog post, we will explore the details of these Authentication Bypass Vulnerabilities in TeamCity, their impact, and the affected versions. We will also provide a step-by-step guide on protecting your TeamCity server by upgrading to the patched version (2023.11.4) or applying the security patch plugin.

The Shadowserver Foundation

@Shadowserver

·Follow

If running JetBrains TeamCity on-prem - make sure to patch for latest CVE-2024-27198 (remote auth bypass) & CVE-2024-27199 vulns NOW! We started seeing exploitation activity for CVE-2024-27198 around Mar 4th 22:00 UTC. 16 IPs seen scanning so far. blog.jetbrains.com/teamcity/2024/…

9

Reply

Copy link

Read 1 reply

A Short Note About TeamCity

TeamCity is a popular CI/CD server developed by JetBrains. It helps development teams to automate their building, testing, and deployment processes. TeamCity supports various programming languages, frameworks, and platforms, making it a versatile tool for continuous integration and delivery. With its user-friendly interface and extensive plugin ecosystem, TeamCity has become a go-to solution for many organizations looking to streamline their software development lifecycle.

Understanding CVE-2024-27198

CVE-2024-27198, the more severe of the two Authentication Bypass Vulnerabilities in TeamCity, is caused by an alternative path issue in the jetbrains.buildServer.controllers.BaseController class, implemented in the web-openapi.jar library. By crafting a specific URL, an attacker can bypass all authentication checks, granting unauthenticated access to endpoints intended for authenticated users only. This critical flaw enables attackers to take complete control of a vulnerable TeamCity server, including creating new administrator accounts or generating administrator access tokens, potentially leading to a full system compromise and unauthorized access to all projects, builds, agents, and artifacts associated with the server.

Understanding CVE-2024-27199

CVE-2024-27199, one of the critical Authentication Bypass Vulnerabilities in TeamCity, stems from a path traversal issue in several paths of the TeamCity web server, including /res/, /update/, and /.well-known/acme-challenge/. Exploiting this flaw, an unauthenticated attacker can leverage double dot path segments to traverse to an alternative endpoint, effectively bypassing authentication checks. This vulnerability allows attackers to modify a limited number of system settings on the server and disclose sensitive information, such as replacing the HTTPS certificate with a certificate of the attacker's choosing, potentially enabling man-in-the-middle attacks or causing denial-of-service conditions.

TeamCity Versions Vulnerable to Authentication Bypass Vulnerabilities

According to JetBrains, all TeamCity versions prior to 2023.11.4 are affected by the critical Authentication Bypass Vulnerabilities identified as CVE-2024-27198 and CVE-2024-27199. However, TeamCity Cloud servers have already been patched, and JetBrains has verified that these managed instances were not compromised.

How to Protect Your TeamCity from CVE-2024-27198 and CVE-2024-27199?

To address the critical Authentication Bypass Vulnerabilities in TeamCity, tracked as CVE-2024-27198 and CVE-2024-27199, JetBrains released TeamCity version 2023.11.4 on March 3, 2024. This updated version includes patches for both vulnerabilities, effectively mitigating the risks associated with these flaws.

For users who are unable to upgrade to TeamCity 2023.11.4, JetBrains has provided an alternative mitigation option in the form of a security patch plugin. This plugin can be installed on all TeamCity versions up to and including 2023.11.3, offering protection against the Authentication Bypass Vulnerabilities.

To upgrade your TeamCity server to the fixed release (2023.11.4) and safeguard your system from CVE-2024-27198 and CVE-2024-27199, follow these step-by-step instructions:

If you prefer to use the automatic update option within TeamCity, simply follow the on-screen instructions provided by the TeamCity user interface to complete the upgrade process.

By upgrading to TeamCity 2023.11.4 or applying the security patch plugin, you can protect your TeamCity server from the critical Authentication Bypass Vulnerabilities and ensure the security and integrity of your CI/CD pipeline.

Bottom Line

The discovery of CVE-2024-27198 and CVE-2024-27199 highlights the importance of staying vigilant and promptly addressing security vulnerabilities in CI/CD systems like TeamCity. These Authentication Bypass Vulnerabilities in TeamCity could lead to severe consequences, such as complete server compromise and potential supply chain attacks. It is crucial for TeamCity users to upgrade their servers to the latest version (2023.11.4) or apply the security patch plugin provided by JetBrains as soon as possible. Additionally, organizations should regularly monitor for security updates and adhere to best practices in securing their CI/CD pipelines to minimize the risk of potential attacks. By taking proactive measures and prioritizing security, development teams can ensure the integrity and reliability of their software development lifecycle while leveraging the powerful features of TeamCity.

We hope this post helps you know how to protect your TeamCity from CVE-2024-27198 and CVE-2024-27199- Authentication Bypass Vulnerabilities. Thanks for reading this post. Please share this post and help secure the digital world.Visit our website thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.