Hackers have recently seized upon a critical-severity authentication bypass vulnerability, CVE-2024-27198, within TeamCity On-Premises. JetBrains has swiftly responded to this threat by releasing an update on Monday to address the issue.
JetBrains TeamCity automates software project development, testing, and deployment. The flaw allows administrators to take over TeamCity servers by bypassing authentication. Rapid Seven, credited with uncovering the flaw, explains that it has the potential to give an attacker “full control over all TeamCity projects, builds, agents and artifacts,”
The scale of exploitation is alarming. Numerous instances of unpatched TeamCity installations have been targeted, and hundreds of unauthorized user accounts accessible on the public web have been created.
LeakIX, a search engine specializing in exposed device misconfigurations and vulnerabilities, has identified over 1,700 TeamCity servers that remain vulnerable to this exploit. The servers are mainly located in Germany, the United States, and Russia, with notable concentrations also found in China, the Netherlands, and France. Disturbingly, more than 1,440 instances have already fallen victim to compromise. According to LeakIX, compromised instances typically exhibit a pattern of 8 alphanumeric characters for the unauthorized user accounts created.
Gregory Boddin of LeakIX highlighted that the affected TeamCity servers are crucial software building and deployment production machines. Their compromise poses a significant threat, potentially leading to supply-chain attacks due to the sensitive information they may harbor, including credentials for various environments where code is deployed or stored, such as repositories and company infrastructure.
The urgency of addressing this vulnerability cannot be overstated. CVE-2024-27198 carries a critical severity score of 9.8 out of 10 and affects all releases up to version 2023.11.4 of the on-premise version of TeamCity. Discovered by Stephen Fewer, a principal security researcher at Rapid7, the vulnerability was promptly reported to JetBrains in mid-February and has since been fixed as of March 4.
JetBrains has released TeamCity version 2023.11.4, containing the necessary fix for CVE-2024-27198. All users are strongly urged to update their instances to the latest version immediately.
Given the widespread exploitation observed, administrators and IT teams must prioritize installing this critical update to safeguard their systems and mitigate the risk of potential supply-chain attacks.