On March 4, 2024, JetBrains released a patch for two critical and high severity authentication bypass vulnerabilities — CVE-2024-27198 (CVSS score: 9.8) and CVE-2024-27199 (CVSS score: 7.3). Each of these vulnerabilities may enable an unauthenticated attacker who has HTTP(s) access to a TeamCity server to bypass authentication checks and gain administrative control of the server. Exploitation attempts have been observed in the wild; it is highly recommended to upgrade TeamCity to the patched version or apply the “security patch” plugin as a workaround. 

March 10, 2024 update:

On March 7, 2024, CVE-2024-27198 was added to the CISA Known Exploited Vulnerabilities catalog based on evidence of active exploitation.

What is CVE-2024-27198? 

This critical vulnerability allows remote unauthenticated attackers to bypass authentication and gain complete control over a vulnerable server. It arises from how the jetbrains.buildServer.controllers.BaseController class handles certain requests, allowing attackers to manipulate the URL and access authenticated endpoints directly. 

Attackers can exploit this by crafting a URL with specific parameters, enabling them to call authenticated endpoints without proper authentication. Exploitation can lead to creating new administrator accounts or generating administrator access tokens, thereby providing attackers with full control over the TeamCity server and associated resources. 

What is CVE-2024-27199? 

This highseverity vulnerability enables unauthenticated attackers to bypass authentication and access a limited set of authenticated endpoints, allowing for modification of system settings and disclosure of sensitive information. By exploiting path traversal issues in specific paths like /res/ and /update/, attackers can traverse to alternative endpoints without authentication. This leads to accessing JSP pages and servlet endpoints that leak information and permit system settings modification. 

For instance, attackers can reach endpoints such as /app/https/settings/uploadCertificate to upload a new TLS certificate or change the HTTPS port number. These actions can result in a denial-of-service attack or facilitate eavesdropping or man-in-the-middle attacks on client connections if the uploaded certificate is trusted by the client. 

Exploitation attempts have been observed in the wild by Greynoise and Shadowserver. 

Wiz Research data: what’s the risk to cloud environments?       

According to Wiz data, approximately 10% of cloud environments have instances with TeamCity installed and 8.5% have instances vulnerable to CVE-2024-27198 and CVE-2024-27199, as of March 6, 2024.  

Exposed TeamCity Servers 

A simple Shodan search for TeamCity servers shows around 2,200 instances exposed to the internet:  

Which products are affected? 

All versions of TeamCity On-Premises up to but not including 2023.11.4 are affected by these vulnerabilities. 

TeamCity Cloud instances have been patched automatically. 

Which actions should security teams take? 

It is recommended to update TeamCity to the patched version, 2023.11.4, or above. 

For users unable to update to the patched version at this time, JetBrains has provided a "security patch" plugin as a workaround. The plugin can be installed on all TeamCity versions through 2023.11.3. Use the plugin for either TeamCity 2018.2 and newer or TeamCity 2018.1 and older, depending on the major version you're using. 

Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their environment. 

References 

• JetBrains advisory 

• Rapid7 blog