Headline
JetBrains Patches Severe TeamCity Flaw Allowing RCE and Server Hijacking
By Deeba Ahmed JetBrains has fixed this flaw in version 2023.05.4 of the product released on September 18. It also released a security advisory but didn’t disclose technical details of the vulnerability for now. This is a post from HackRead.com Read the original post: JetBrains Patches Severe TeamCity Flaw Allowing RCE and Server Hijacking
This flaw was assigned a CVSS score of 9.8.
The flaw impacted TeamCity version 2023.05.3 and below.
Stefan Schiller from Sonar discovered a critical-severity authentication bypass vulnerability in the TeamCity CI/CD server.
It could allow attackers to obtain source code, perform RCE and supply chain attacks, and get full administrative control of the server.
JetBrains has fixed the flaw in TeamCity version 2023.05.4.
JetBrains software development firm has patched a critical vulnerability in its TeamCity CI/CD (continuous integration and continuous delivery) solution. The vulnerability (tracked as CVE-2023-42793) would have allowed authenticated attackers to perform remote code execution (RCE) and fully control the server.
As per Rapid7 researchers, as of September 25, 2023, there was no evidence of the flaw getting exploited in the wild. Moreover, there wasn’t any public exploit code available for this vulnerability.
****What is CVE-2023-42793?****
This vulnerability was found by Sonar’s security researcher, Stefan Schiller. It is an authentication bypass flaw impacting On-Premises TeamCity versions 2023.05.3 or below and was rated 9.8. Schiller noted that adversaries must interact with the user to exploit it. If they could achieve that, it was possible to steal source code, stored service secrets, and even private keys and carry out supply chain attacks.
What’s even worse is that they could access the build process to effortlessly inject malicious code to compromise the software and impact “all downstream users.” the researcher also noted that when scanned, Shodan displayed over 3,000 On-Premises TeamCity accessible on the internet.
****Apply the Patch ASAP****
JetBrains has fixed this flaw in version 2023.05.4 of the product released on September 18. It also released a security advisory but didn’t disclose technical details of the vulnerability for now.
JetBrains urges customers to upgrade to the latest version promptly because the “trivial” CVE-2023-42793 can be exploited as it doesn’t need a “valid account on the target instance.” Therefore, threat actors would want to exploit it.
A patch is available for those who cannot upgrade to the new version. TeamCity users running version 2018.2 or above don’t need to restart the server after installing the plugin. However, users running versions 8.0 to 2018.1 have to restart the server. If you cannot upgrade or install the patch, it is necessary to make the server temporarily inaccessible to mitigate the threat of exploitation.
****Possible Dangers****
Application security firm Endor Labs’ security researcher, Henrik Plate, explained that the vulnerability allows non-authenticated users to obtain the server’s administrative control, and any adversary can access sensitive information like secrets or source code or any asset stored on the CI/CD system.
An RCE flaw lets attackers run arbitrary code on the system without alerting the OS if the user runs the vulnerable TeamCity server process. Once done, attackers can move laterally to other systems, elevate privileges further, and tamper with the software. This would allow them to gain permanent access via their owned accounts. They can even manipulate builds run/managed by TeamCity.
“The worst-case scenario is probably one where attackers silently manipulate the software created by TeamCity, as this would affect all the users running such infected software. Such attacks are comparable to the SolarWinds incident, where compromised versions of SolarWinds were downloaded and run by numerous organizations.”
“This underlines to what extent the security of today’s software depends on the security of upstream dependencies of all kinds – not only “embedded” components, those that become part of the actual software product, but also all the other components used throughout the software development lifecycle, from code to cloud,” Plate explained about the possible dangers of running an unpatched TeamCity version.
****RELATED ARTICLES****
- Google Account Sync Vulnerability Exploited to Steal $15M
- 900 U.S. Schools Hit by MOVEit Hack, Exposing Student Data
- WinRAR users update software as 0-day vulnerability is found
Related news
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that it has observed threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to conduct reconnaissance of target networks. It said the module is being used to enumerate other non-internet-facing devices on the network. The agency, however, did not disclose who
JetBrains is alerting customers of a critical security flaw in its TeamCity On-Premises continuous integration and continuous deployment (CI/CD) software that could be exploited by threat actors to take over susceptible instances. The vulnerability, tracked as CVE-2024-23917, carries a CVSS rating of 9.8 out of 10, indicative of its severity. "The vulnerability may enable an unauthenticated
By Waqas Polish authorities and FortiGuard Labs have issued a warning to customers about a new wave of cyberattacks associated with TeamCity. This is a post from HackRead.com Read the original post: Russian APT29 Hacked US Biomedical Giant in TeamCity-Linked Breach
Threat actors affiliated with the Russian Foreign Intelligence Service (SVR) have targeted unpatched JetBrains TeamCity servers in widespread attacks since September 2023. The activity has been tied to a nation-state group known as APT29, which is also tracked as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes. It's notable for the supply chain
The notorious North Korea-linked threat actor known as the Lazarus Group has been attributed to a new global campaign that involves the opportunistic exploitation of security flaws in Log4j to deploy previously undocumented remote access trojans (RATs) on compromised hosts. Cisco Talos is tracking the activity under the name Operation Blacksmith, noting the use of three DLang-based
A North Korean state-sponsored threat actor tracked as Diamond Sleet is distributing a trojanized version of a legitimate application developed by a Taiwanese multimedia software developer called CyberLink to target downstream customers via a supply chain attack. "This malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads,
Hello everyone! October was an interesting and busy month for me. I started a new job, worked on my open source Vulristics project, and analyzed vulnerabilities using it. Especially Linux vulnerabilities as part of my new Linux Patch Wednesday project. And, of course, analyzed Microsoft Patch Tuesday as well. In addition, at the end of […]
Known threat groups Diamond Sleet and Onyx Sleet focus on cyber espionage, data theft, network sabotage, and other malicious actions, Microsoft says.
North Korean threat actors are actively exploiting a critical security flaw in JetBrains TeamCity to opportunistically breach vulnerable servers, according to Microsoft. The attacks, which entail the exploitation of CVE-2023-42793 (CVSS score: 9.8), have been attributed to Diamond Sleet (aka Labyrinth Chollima) and Onyx Sleet (aka Andariel or Silent Chollima). It's worth noting that both the
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added two security flaws to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation, while removing five bugs from the list due to lack of adequate evidence. The vulnerabilities newly added are below - CVE-2023-42793 (CVSS score: 9.8) - JetBrains TeamCity Authentication Bypass Vulnerability
This Metasploit module exploits an authentication bypass vulnerability to achieve unauthenticated remote code execution against a vulnerable JetBrains TeamCity server. All versions of TeamCity prior to version 2023.05.4 are vulnerable to this issue. The vulnerability was originally discovered by SonarSource.
A critical security vulnerability in the JetBrains TeamCity continuous integration and continuous deployment (CI/CD) software could be exploited by unauthenticated attackers to achieve remote code execution on affected systems. The flaw, tracked as CVE-2023-42793, carries a CVSS score of 9.8 and has been addressed in TeamCity version 2023.05.4 following responsible disclosure on September 6,