Recent disclosures have revealed critical vulnerabilities in JetBrains TeamCity. Two vulnerabilities have been identified, namely: CVE-2024-27198 and CVE-2024-27199. It allows unauthenticated attackers to bypass authentication measures and gain unauthorized access to sensitive endpoints within the TeamCity server.
CVE-2024-27198: Authentication Bypass Flaw
CVE-2024-27198 exposes a critical vulnerability in TeamCity’s authentication mechanism, granting unauthenticated attackers complete control over vulnerable servers. This flaw stems from the mishandling of requests by the jetbrains build Server controllers. BaseController class, enabling attackers to manipulate URI paths and access authenticated endpoints directly.
Exploitation Process for CVE-2024-27198:
- The attacker initiates a 404 response by requesting a non-existent resource, such as “/gojo”.
- An HTTP query parameter named “jsp” is appended to the URI path, containing the value of an authenticated URI path ending with “.jsp”.
- The manipulated URI path becomes “/gojo?jsp=/app/rest/server;.jsp”, leveraging the authentication bypass to access authenticated endpoints.
- Attackers can exploit this vulnerability to execute actions like creating new administrator users or generating administrator access tokens through targeted requests to specific REST API endpoints.
Impact of CVE-2024-27198:
Exploiting this vulnerability grants attackers full control over the TeamCity server, including access to projects, builds, agents, and associated artifacts.
CVE-2024-27199: Path Traversal Vulnerability
CVE-2024-27199 exposes an authentication bypass vulnerability in TeamCity’s web server, enabling unauthenticated attackers to access authenticated endpoints via path traversal flaws. By exploiting these vulnerabilities, attackers can modify system settings and disclose sensitive information without proper authentication.
Exploitation Process for CVE-2024-27199:
- Attackers exploit path traversal vulnerabilities in endpoints like “/res/”, “/update/”, and “/.well-known/acme-challenge/” to reach authenticated endpoints.
- Utilizing double dot path segments, attackers traverse to alternative endpoints without authentication, such as accessing “/admin/diagnostic.jsp” by using paths like “/res/../admin/diagnostic.jsp”.
- Attackers can exploit endpoints like “/app/https/settings/uploadCertificate” to upload malicious HTTPS certificates or alter HTTPS port numbers.
Impact of CVE-2024-27199:
Unauthenticated attackers can modify system settings, disclose sensitive information, and launch denial-of-service attacks, disrupting server-client communications.
Solutions
JetBrains has launched TeamCity 2023.11.4, effectively addressing the two vulnerabilities. They have also disclosed the severity of these vulnerabilities and the potential consequences of their exploitation, emphasizing that “all versions through 2023.11.3 are impacted.”
Administrators are strongly advised to promptly update their servers to version 2023.11.4. For those unable to do so immediately, a security patch plugin is available for both newer versions like TeamCity 2018.2 and onwards, as well as for older editions like TeamCity 2018.1 and earlier.
SanerNow Vulnerability Management, Risk Prioritization, and Patch Management detect and automatically fix vulnerabilities with risk-based remediation. With SanerNow, you can keep your systems updated and secure.
