TeamCity auth bypass bug exploited to mass-generate admin accounts


Hackers have started to exploit the critical-severity authentication bypass vulnerability (CVE-2024-27198) in TeamCity On-Premises, which JetBrains addressed in an update on Monday.

Exploitation appears to be massive, with hundreds of new users created on unpatched instances of TeamCity exposed on the public web.

Risk of supply-chain attacks

LeakIX, a search engine for exposed device misconfigurations and vulnerabilities, told BleepingComputer that a little over 1,700 TeamCity servers have yet to receive the fix.

TeamCity installations vulnerable to auth bypass bug CVE-2024-27198
TeamCity installations vulnerable to auth bypass bug CVE-2024-27198
source: LeakIX

Most of the vulnerable hosts indexed by LeakIX are in Germany, the United States, and Russia, followed at a distance by China, the Netherlands, and France.

Of these, the platform indicates that hackers have already compromised more than 1,440 instances.

“There are between 3 and 300 hundreds users created on compromised instances, usually the pattern is 8 alphanum characters,” LeakIX told BleepingComputer.

TeamCity instances already compromise through CVE-2024-27198
TeamCity instances already compromise through CVE-2024-27198
source: LeakIX

GreyNoise, a company that analyzes internet scanning traffic, also recorded on March 5 a sharp increase in attempts to exploit CVE-2024-27198.

According to GreyNoise statistics, most attempts come from systems in the United States on the DigitalOcean hosting infrastructure.

Gregory Boddin of LeakIX told BleepingComputer that the TeamCity servers observed are production machines used to build and deploy software.

This means that compromising them could lead to supply-chain attacks as they may contain sensitive details such as credentials for the environments where code is deployed, published, or stored (e.g. stores and marketplaces, repositories, company infrastructure).

Cybersecurity company Rapid7 expressed the same concern in a blog post analyzing the vulnerability and the ways it can be leveraged in attacks

“Compromising a TeamCity server allows an attacker full control over all TeamCity projects, builds, agents and artifacts, and as such is a suitable vector to position an attacker to perform a supply chain attack” – Rapid7

Urgent TeamCity update

CVE-2024-27198 has a critical severity score of 9.8 out of 10 and affects all releases up to 2023.11.4 of the on-premise version of TeamCity.

It is present in the web component of the server and can allow a remote, unauthenticated attacker to take control of a vulnerable server with administrative privileges.

Discovered by Stephen Fewer, a principal security researcher at Rapid7, the vulnerability was reported to JetBrains in mid-February and fixed on March 4.

Rapid7 has published a complete technical details on what causes the issue and demonstrated how an attacker could exploit it to achieve remote code execution.

JetBrains annouced on Monday the release of TeamCity 2023.11.4 with a fix for CVE-2024-27198, encouraging all users to update instances to the latest version.

With massive exploitation already observed, administrators of on-premise TeamCity instances should take urgent steps towards installing the newest release.





Source link