The TeamCity on-premises bugs that received patches on Monday have already been used by hackers to generate unauthorized admin accounts at a massive scale, according to the threat search engine LeakIX.
The bugs, tracked under CVE-2024-27198 and CVE-2024-27199, remain unpatched for a large number of devices, opening them up to critical software supply chain attacks.
âWe are seeing massive exploitation of #TeamCity CVE-2024-27198,â LeakIX said in a social media post. âHundreds of users are created for later use across the Internet. If you were/are still running a vulnerable system, assume compromise.â
The bugs were first discovered by Rapid7 as a pair of authentication bypass vulnerabilities capable of allowing remote code execution (RCE) in addition to supply chain attacks.
Generating admin accounts for future attacks
LeakIX said it found 1711 devices online that have not yet been patched against the TeamCity vulnerabilities, allowing the generation of at least 1442 unauthorized admin accounts since Monday.
LeakIX is a search engine for misconfigured and vulnerable devices across the internet that, apart from listing out the vulnerable instances, provides additional details like IPs, networks, and countries.
The US (269), Germany (267), and Russia (191) were the most infected (admin accounts created) countries in a list shared by LeakIX. They had 330, 302, and 221 unpatched systems respectively at the last count.
âThere are between 3 and 300 users created on compromised instances, usually the pattern is 8 alphanum characters,â LeakIX reportedly said.
The disclosure spat
Rapid7 believed the vulnerabilities were critical and released full technical details shortly after the patches were released, recommending immediate patching.
âTeamCity has been a popular target for attackers, including state-sponsored groups, over the past six months or so,â said Caitlin Condon, director of vulnerability intelligence at Rapid7.
âBoth vulnerabilities Rapid7 discovered in TeamCity are authentication bypasses; the first (CVE-2024-27198) is critical and allows for unauthenticated remote code execution, which in turn gives potential attackers control over TeamCity builds, agents, artifacts, and so on,â Condon added. âThe second vulnerability (CVE-2024-27199) is high-severity instead of critical, and allows for limited information disclosure and/or system modification, including the ability for an unauthenticated attacker to replace the HTTPS certificate in a vulnerable TeamCity server with a certificate of the attacker’s choosing.â
However, in the security release for these vulnerabilities, JetBrains had indicated that the company was rushed into disclosing the issues by Rapid7 as the latter chose to strictly abide by its own vulnerability disclosure policy and was about to publish full technical details shortly.
While CSO did not receive any additional comment on the disagreement between the two parties, the blog post with full technical by Rapid7 did hint at a little friction over disclosure routines. âOn March 4, Rapid7 noted that JetBrains released a fixed version of TeamCity without notifying Rapid7 that fixes had been implemented and were generally available,â Rapid7 said in the post. âWhen Rapid7 contacted JetBrains about their uncoordinated vulnerability disclosure, JetBrains published an advisory on the vulnerabilities without responding to Rapid7 on the disclosure timeline. JetBrains later responded to indicate that CVEs had been published.â