JetBrains warns of new TeamCity auth bypass vulnerability

JetBrains urged customers today to patch their TeamCity On-Premises servers against a critical authentication bypass vulnerability that can let attackers take over vulnerable instances with admin privileges.

Tracked as CVE-2024-23917, this critical severity flaw impacts all versions of TeamCity On-Premises from 2017.1 through 2023.11.2 and can be exploited in remote code execution (RCE) attacks that don't require user interaction.

"We strongly advise all TeamCity On-Premises users to update their servers to 2023.11.3 to eliminate the vulnerability," JetBrains said.

"If your server is publicly accessible over the internet and you are unable to take one of the above mitigation steps immediately, we recommend temporarily making it inaccessible until mitigation actions have been completed."

Customers who cannot immediately upgrade can also use a security patch plugin to secure servers running TeamCity 2018.2+ and TeamCity 2017.1, 2017.2, and 2018.1.

While the company says that all TeamCity Cloud servers have been patched and there is no evidence they've been attacked, it has yet to reveal if CVE-2024-23917 has been targeted in the wild to hijack Internet-exposed TeamCity On-Premises servers.

Shadowserver is tracking more than 2,000 TeamCity servers exposed online, although there is no way to know how many have already been patched.

​A similar authentication bypass flaw tracked as CVE-2023-42793 was exploited by the APT29 hacking group linked to Russia's Foreign Intelligence Service (SVR) in widespread RCE attacks since September 2023.

"By choosing to exploit CVE-2023-42793, a software development program, the authoring agencies assess the SVR could benefit from access to victims, particularly by allowing the threat actors to compromise the networks of dozens of software developers," CISA warned.

Several ransomware gangs have exploited the same vulnerability since early October to breach corporate networks.

According to Microsoft, the North Korean Lazarus and Andariel hacking groups also used CVE-2023-42793 exploits to backdoor victims' networks, likely in preparation for software supply chain attacks.

JetBrains says that more than 30,000 organizations worldwide use TeamCity software building and testing platform, including high-profile companies like Citibank, Ubisoft, HP, Nike, and Ferrari.