Serious On-Premises Bugs in JetBrains TeamCity May Allow for Server Takeovers

Two fresh security flaws in JetBrains TeamCity On-Premises software have surfaced, which a hostile actor might use to get access to compromised computers. Version 2023 contains fixes for the issues, which are tracked as CVE-2024-27198 & CVE-2024-27199.11.4. Through 2023, they affect all TeamCity On-Premises editions.11.3.

“The vulnerabilities may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server,” JetBrains stated in a Monday alert.

The two vulnerabilities have already been addressed for TeamCity Cloud instances. Cybersecurity Company Rapid7 revealed that CVE-2024-27198 is an example of an authentication bypass that enables a remote, unauthenticated attacker to completely exploit a vulnerable server. Rapid7 found and reported the flaws on February 20, 2024.

“Compromising a TeamCity server allows an attacker full control over all TeamCity projects, builds, agents, and artifacts, and as such is a suitable vector to position an attacker to perform a supply chain attack,” the business stated.

An unauthenticated attacker may be able to replace the HTTPS certificate in a vulnerable TeamCity server with a different certificate via the “/app/https/settings/uploadCertificate” endpoint, and they may even be able to change the port on which the HTTPS service listens, thanks to CVE-2024-27199, another authentication bypass flaw.

A threat actor could use the vulnerability to upload a certificate that would fail client-side validation or change the HTTPS port number to cause a denial-of-service attack on the TeamCity server. Alternatively, if the clients trust the uploaded certificate, it may be used in adversary-in-the-middle situations.

Rapid7 described the flaw as “allowing a limited number of authenticated endpoints to be reached without authentication through this authentication bypass. An unauthenticated attacker can leverage this vulnerability to both modify a limited number of system settings on the server, as well as disclose a limited amount of sensitive information from the server.”

The development occurred about a month after JetBrains patched a different vulnerability that would have allowed an unauthorized attacker to take over TeamCity servers. Users must update their servers right away because North Korean and Russian threat actors actively exploited security flaws in JetBrains TeamCity last year.