JetBrains is advising immediate patching of two new vulnerabilities affecting its TeamCity software, a CI/CD pipeline tool that can allow attackers to gain unauthenticated administrative access.
Tracked under CVE-2024-27198 and CVE-2024-27199, the critical bugs have already been fixed within TeamCity cloud servers with an on-premises patch available with version 2023.11.4.
âThe vulnerabilities may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server,â JetBrains said in a blog post on the issue. âThe vulnerabilities affect all TeamCity On-Premises versions through 2023.11.3.â
TeamCity is a widely used tool for managing CI/CD pipelines, the continuous process of building, deploying, and testing software codes, adopted by a range of global brands including Tesla, McAfee, Samsung, Nvidia, HP, and Motorola.
Critical server jacking bugs
The bugs were first reported to JetBrains by Rapid7 as two new critical TeamCity on-premises flaws that could allow attackers to gain administrative control of the TeamCity server. They were subsequently assigned high CVSS base scores of 9.8/10 (CVE-2024-27198) and 7.5/10 (CVE-2024-27199).
While both JetBrains and Rapid7 have yet to disclose the technical details of how exactly the vulnerabilities can be exploited, a full disclosure is expected shortly.
âRapid7 originally identified and reported these vulnerabilities to us and has chosen to adhere strictly to its own vulnerability disclosure policy,â JetBrains said in the post. âThis means that their team will publish full technical details of these vulnerabilities and their replication steps within 24 hours of this notice.â
The company added that it typically withholds technical details of vulnerabilities after a release to ensure effective mitigation but has been forced to urge customers to patch as Rapid7 stands to accelerate the timeline with technical disclosure.
JetBrains confirmed that no TeamCity cloud servers were attacked till the time patches were applied.
On-premise patches rolled out
JetBrains has listed two possible options for users to mitigate their TeamCity on-premises servers against these vulnerabilities.
As the standard option, users can update their servers to the latest 2023.11.4 version, either by downloading the update from a dedicated link or by using the automatic update option within TeamCity.
Alternatively, as option two, users can apply a targeted security patch plugin which will only patch these vulnerabilities without the other components of the version update. The link to this plugin has been shared in the blog post. TeamCity is a crucial DevOps tool for software development which has been a popular APT target in recent times. It was reported that an RCE flaw in the tool was being actively used in 2023 by Midnight Blizzard, the notorious Russian APT behind the 2020 SolarWinds hack.