JetBrains Patches Severe TeamCity Flaw Allowing RCE and Server Hijacking

• This flaw was assigned a CVSS score of 9.8.

• The flaw impacted TeamCity version 2023.05.3 and below.

• Stefan Schiller from Sonar discovered a critical-severity authentication bypass vulnerability in the TeamCity CI/CD server.

• It could allow attackers to obtain source code, perform RCE and supply chain attacks, and get full administrative control of the server.

• JetBrains has fixed the flaw in TeamCity version 2023.05.4.

JetBrains software development firm has patched a critical vulnerability in its TeamCity CI/CD (continuous integration and continuous delivery) solution. The vulnerability (tracked as CVE-2023-42793) would have allowed authenticated attackers to perform remote code execution (RCE) and fully control the server.

As per Rapid7 researchers, as of September 25, 2023, there was no evidence of the flaw getting exploited in the wild. Moreover, there wasn’t any public exploit code available for this vulnerability.

****What is CVE-2023-42793?****

This vulnerability was found by Sonar’s security researcher, Stefan Schiller. It is an authentication bypass flaw impacting On-Premises TeamCity versions 2023.05.3 or below and was rated 9.8. Schiller noted that adversaries must interact with the user to exploit it. If they could achieve that, it was possible to steal source code, stored service secrets, and even private keys and carry out supply chain attacks.

What’s even worse is that they could access the build process to effortlessly inject malicious code to compromise the software and impact “all downstream users.” the researcher also noted that when scanned, Shodan displayed over 3,000 On-Premises TeamCity accessible on the internet.

****Apply the Patch ASAP****

JetBrains has fixed this flaw in version 2023.05.4 of the product released on September 18. It also released a security advisory but didn’t disclose technical details of the vulnerability for now.

JetBrains urges customers to upgrade to the latest version promptly because the “trivial” CVE-2023-42793 can be exploited as it doesn’t need a “valid account on the target instance.” Therefore, threat actors would want to exploit it.

A patch is available for those who cannot upgrade to the new version. TeamCity users running version 2018.2 or above don’t need to restart the server after installing the plugin. However, users running versions 8.0 to 2018.1 have to restart the server. If you cannot upgrade or install the patch, it is necessary to make the server temporarily inaccessible to mitigate the threat of exploitation.

****Possible Dangers****

Application security firm Endor Labs’ security researcher, Henrik Plate, explained that the vulnerability allows non-authenticated users to obtain the server’s administrative control, and any adversary can access sensitive information like secrets or source code or any asset stored on the CI/CD system.

An RCE flaw lets attackers run arbitrary code on the system without alerting the OS if the user runs the vulnerable TeamCity server process. Once done, attackers can move laterally to other systems, elevate privileges further, and tamper with the software. This would allow them to gain permanent access via their owned accounts. They can even manipulate builds run/managed by TeamCity.

“The worst-case scenario is probably one where attackers silently manipulate the software created by TeamCity, as this would affect all the users running such infected software. Such attacks are comparable to the SolarWinds incident, where compromised versions of SolarWinds were downloaded and run by numerous organizations.”

“This underlines to what extent the security of today’s software depends on the security of upstream dependencies of all kinds – not only “embedded” components, those that become part of the actual software product, but also all the other components used throughout the software development lifecycle, from code to cloud,” Plate explained about the possible dangers of running an unpatched TeamCity version.

****RELATED ARTICLES****

1. Google Account Sync Vulnerability Exploited to Steal $15M
2. 900 U.S. Schools Hit by MOVEit Hack, Exposing Student Data
3. WinRAR users update software as 0-day vulnerability is found