Recently, security researcher Stefan Schiller from Sonar disclosed a critical remote code execution (RCE) vulnerability in the popular Continuous Integration and Continuous Deployment (CI/CD) platform TeamCity. On September 26, 2023, JetBrains, the company behind TeamCity, published an advisory about this vulnerability tracked as CVE-2023-42793.
This is an authentication bypass flaw in TeamCity that could allow an unauthenticated, remote attacker to gain administrative access and take complete control of the TeamCity server. If exploited, this vulnerability enables the attacker to steal source code, secrets, and private keys and tamper with the build process to inject malicious code into software releases, which would impact all downstream users.
According to the NIST National Vulnerability Database (NVD), this vulnerability has a CVSS v3 base score of 9.8 (critical severity) and presents the weakness CWE-288 (authentication bypass using an alternate path or channel).
This blog post will cover what are CI/CD pipelines, give an overview of TeamCity, provide a summary of CVE-2023-42793, learn which TeamCity versions are impacted, and discuss how to fix CVE-2023-42793 vulnerability in this blog post.
Table of Contents
What Are CI/CD Pipelines?
CI/CD pipelines automate the process of building, testing, and deploying applications. The continuous integration (CI) stage integrates code changes from developers into a shared repository frequently, checks for errors, and runs automated tests. If all test cases pass, the continuous delivery (CD) stage deploys the build artifact to production or staging environments.
CI/CD enables rapid and reliable software releases by catching issues early through automated testing and preventing bad code from going live. With CI/CD, developers can focus on writing code rather than wasting time on manual build and deployment processes. Leading tech companies rely heavily on CI/CD pipelines to achieve faster release cycles and remain competitive.
A Short Introduction of TeamCity and Its Key Features
TeamCity is a popular Java-based CI/CD server from JetBrains used by over 300,000 developers worldwide. It integrates with version control systems like Git, Mercurial, SVN, and Perforce to detect code changes and automatically build, test, and deploy applications.
Some key features of TeamCity include:
- Support for many build tools and test runners like Maven, Gradle, NUnit, JUnit, etc.
- Built-in Docker support for building Docker images and running builds in containers.
- Powerful build chain visualization and triggers to model dependencies.
- Integrated code coverage metrics and duplicate code analysis.
- Pre-tested commit feature to catch issues before they reach the repository.
- Highly customizable build agents that can run on different platforms like Linux, Windows, and macOS.
- REST API and command-line interface for automation and integration.
- Role-based access control, LDAP authentication, and audit logging for security.
The Summary of CVE-2023-42793
CVE-2023-42793 stems from an authentication bypass vulnerability in TeamCity that enables an unauthenticated, remote attacker to bypass authentication and gain arbitrary code execution on the TeamCity server with administrative privileges.
According to the NVD, it has been assigned a CVSS v3 base score of 9.8 (critical severity) based on these metrics:
- CVE ID: CVE-2023-42793
- Description: Authentication bypass in JetBrains TeamCity enables unauthenticated remote code execution
- Base Score: 9.8 (Critical)
- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Successful exploitation of this flaw allows an attacker to steal source code, secrets, and private keys, tamper with the build process, and take full control of the TeamCity server.
TeamCity Versions Vulnerable to CVE-2023-42793
As per JetBrains’ advisory, all versions of TeamCity prior to 2023.05.4 are affected by CVE-2023-42793. This includes TeamCity versions 2022.04.x, 2022.10.x, and 2023.04.x which have not yet been patched against this critical authentication bypass vulnerability.
How to Fix CVE-2023-42793?
JetBrains has addressed this critical vulnerability by releasing TeamCity version 2023.05.4 with the fix for CVE-2023-42793. So it is strongly recommended to update your TeamCity servers to this latest patched release.
Additionally, JetBrains has also provided a security patch plugin that specifically mitigates the CVE-2023-42793 vulnerability in older TeamCity versions like 8.0+ that cannot be immediately upgraded.
While the patch plugin will protect against attacks attempting to exploit this specific flaw, upgrading to the latest TeamCity version is always preferable to get all security enhancements.
Here are the step-by-step instructions to upgrade your TeamCity server to the fixed version 2023.05.4:
- Take a complete backup of your TeamCity server, including the database, Data Directory, logs, config files, and any other custom data. This will help roll back if something goes wrong during the upgrade.
- Download the latest TeamCity 2023.05.4 server distribution from the JetBrains website as a *.zip, *.tar.gz, Docker image, or *.exe installer based on your installation type.
- For Windows installs, run the new 2023.05.4 installer executable. Point it to your existing TeamCity Home Directory and follow the prompts to uninstall the previous version and install the new one.
- For Linux or Docker installs, remove the old TeamCity web application files while preserving the Data Directory and database. Extract the new distribution archive into your TeamCity Home Directory to replace the old files.
- Review the upgrade instructions for any additional steps like restoring customized config files, external database drivers, etc.
- If you made any changes to the bundled Tomcat server or service settings, re-apply them post-upgrade.
- Start the upgraded TeamCity service and provide time for agents to auto-upgrade as well.
- In the TeamCity web UI, go to the Maintenance page. Verify that the upgrade succeeded without any errors. Finally, click the button to finalize the data structure upgrade to a new format.
Following these steps will ensure that CVE-2023-42793 is fully fixed in your TeamCity installation by upgrading to the patched release. Keeping your CI/CD platform updated is crucial for security.
In conclusion, CVE-2023-42793 is a critical severity authentication bypass vulnerability in TeamCity that lead to a remote code execution. If your servers are internet-facing and you cannot patch immediately, restrict access to mitigate attacks. All TeamCity users should update to version 2023.05.4 or install the patch plugin as soon as possible to fully fix this vulnerability. Keeping your CI/CD platforms up-to-date with security patches is crucial to prevent takeovers and supply chain attacks.
Regularly patching and upgrading your web-facing applications is the most effective way to improve your security posture. Old, unmaintained software riddled with known vulnerabilities poses an unacceptable risk in today’s threat landscape. CI/CD platforms like TeamCity, which hold the keys to your source code and releases, are particularly appealing targets that call for extra vigilance.
While this news may be unsettling, the good part is that JetBrains has provided actionable solutions to fix the flaw. Stay calm, backup your data, test upgrades, and apply the mitigations. With some care and planning, TeamCity users can ensure their environments are no longer vulnerable to CVE-2023-42793 attacks.
We hope this post helps you know how to fix CVE-2023-42793, a critical critical authentication bypass vulnerability in TeamCity. Thanks for reading this post. Please share this post and help secure the digital world. Visit our website thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.