Note: These vulnerabilities remain under active exploitation, and Kroll experts are investigating. If further details are uncovered by our team, updates will be made to the Kroll Cyber Risk blog.
Two critical vulnerabilities have been discovered and patched in TeamCity, a build management and continuous integration server from JetBrains. These vulnerabilities are being tracked as CVE-2024-27198 and CVE-2024-27199 and impact all TeamCity On-Premises versions through 2023.11.3. They are reportedly being actively exploited as of March 6, 2024, with a fix is available in version 2023.11.4, which was released Monday, March 4. If exploited, the flaws may enable an unauthenticated attacker with access to a TeamCity server to bypass authentication and gain administrative control.
CVE-2024-27198
CVE-2024-27198 is an authentication bypass vulnerability found in JetBrains TeamCity versions before 2023.11.4. This vulnerability has a CVSS score of 9.8 – CRITICAL with exploitability of 3.9 and impact of 5.9 and could allow an attacker to gain administrative privileges.
CVE-2024-27199
CVE-2024-27199 is a vulnerability discovered in JetBrains TeamCity versions before 2023.11.4. This vulnerability has a CVSS score of 7.3 - HIGH with exploitability of 3.9 and impact of 3.4. This is a path traversal vulnerability that could allow an attacker to perform limited admin actions. This could enable an attacker to replace a certificate on the server and perform a denial of service.
Exploitation of these vulnerabilities poses significant risk for code bases, CI/CD pipelines and any credentials stored on the TeamCity server. Exploitation could also lead to direct impact on codebases stored on TeamCity servers and may present supply chain risk.
Exploitation Detected
Exploitation of these flaws has been detected in the wild, likely fueled by a technical writeup released March 4, less than 24 hours after patches were made available. The article included proof of concept code and a new METASPLOIT module for the vulnerabilities.
LeakIX , an internet-scanning and vulnerability-tracking firm, reports that instances of TeamCity are being attacked to create hundreds of random users, which will likely be used later by the attackers to return to the impacted server, allowing threat actors access after a patch has been applied.
Below are some key recommendations from Kroll’s cyber threat intelligence (CTI) team:
- Immediately address vulnerable instances of TeamCity servers by following the mitigation options in the JetBrains advisory.
- If patching is not immediately possible, disconnect any internet-connected TeamCity servers from the internet.
- If you are running a TeamCity server that is available from the internet that was not patched on March 4, assume compromise and invoke DFIR playbooks.
- Identify instances of new account creation by checking “Administration/Users’ in the TeamCity server console, check for new account creation since March 4.
