TeamCity Authentication Bypass Bug Exploited to Mass-generate Admin Accounts

Earlier this week, JetBrains disclosed CVE-2024-27198, a critical severity authentication bypass vulnerability in TeamCity On-Premise. According to researchers, hackers have begun mass exploiting of this vulnerability, with hundreds of new users being created on unpatched instances of TeamCity exposed on the public web. According to Internet scans, there are still around 1,700 TeamCity servers exposed that have not installed the latest update. Most of the vulnerable hosts are in Germany, the United States, and Russia, followed at a distance by China, the Netherlands, and France.

LeakIX who shared these findings says that threat actors have already compromised more than 1.400 exposed instances. GreyNoise also noted a sharp increase in attempts to exploit CVE-2024-27198 on March 5th. According to GreyNoise statistics, most attempts come from systems in the United States on the DigitalOcean hosting infrastructure.

Security Officer Comments:
Most concerning, TeamCity servers are typically used as production machines for building, testing, and deploying software. Compromise of these servers could lead to supply chain attacks, as these servers often contain sensitive credentials for the environments where code is deployed, published, and stored.

Rapid7 expressed concerns about this recent exploitation, noting that “compromising a TeamCity server allows an attacker full control over all TeamCity projects, builds, agents and artifacts, and as such is a suitable vector to position an attacker to perform a supply chain attack.”

Suggested Corrections:
CVE-2024-27198 has a critical severity score of 9.8 out of 10 and affects all releases up to 2023.11.4 of the on-premise version of TeamCity. Exploitation of the vulnerability allows a remote unauthenticated attacker to take control of a vulnerable server with admin privileges.

Discovered by Stephen Fewer, a principal security researcher at Rapid7, the vulnerability was reported to JetBrains in mid-February and fixed on March 4. Rapid7 has published a complete technical details on what causes the issue and demonstrated how an attacker could exploit it to achieve remote code execution.

JetBrains annouced on Monday the release of TeamCity 2023.11.4 with a fix for CVE-2024-27198, encouraging all users to update instances to the latest version. With massive exploitation already observed, administrators of on-premise TeamCity instances should take urgent steps towards installing the newest release.