JetBrains has disclosed a critical-rated vulnerability in its TeamCity CI/CD tool, exploitation of which could lead to remote code execution (RCE) and full administrative control of the server given to attackers.
Tracked as CVE-2023-42793, the authentication bypass flaw affecting the on-prem version of TeamCity could grant broad access to source code, opening victims up to software supply chain attacks.
Attacks on software supply chains involve attackers infiltrating systems like CI/CD pipelines, injecting malicious code that is installed on every customer’s device that uses a given piece of software. They can be hugely damaging and have seen great success for cyber criminals over time.
Some of the most impactful examples of recent times include the breach at MOVEit earlier this year, the attack on 3CX months before that, and Kaseya and SolarWinds’ respective attacks.
“With the capability to manipulate the build process, attackers can introduce malicious alterations. This jeopardizes the authenticity of software releases and introduces risks to all users reliant on the software,” said SOC Radar in a blog post.
“What heightens the severity of this flaw is the absence of a need for any user interaction for its exploitation. Even though full technical details are not publicly available now, the significance of taking immediate action to address this vulnerability cannot be emphasized enough.
“The ease with which this vulnerability can be exploited without requiring a valid account on the target server heightens concerns about potential misuse in the wild.”
JetBrains said the issue, which garnered a near-maximum CVSSv3 severity score of 9.8, is now fixed in version 2023.05.4, and all customers have been advised to upgrade as soon as possible.
All versions before this - 2023.5.03 and older - are vulnerable to the cyber attack. The issue doesn’t affect users of TeamCity Cloud.
Get guidance on how you can get maximum protection from your SIEM solution.
DOWNLOAD FOR FREE
If some organizations are unable to upgrade to the latest version, JetBrains has also released vulnerability-specific patches that will fix the issue without requiring a full upgrade.
Users of TeamCity 2019.2 and later won’t have to restart their server in order for the fix to take effect, but those running TeamCity 8.0-2018.2 will have to initiate a restart after the fix has been installed.
Public-facing servers that are unable to undergo any of the security mitigations, either a full upgrade or applying one of the hotfixes, should be taken offline until a time when updates can be applied, JetBrains said in its advisory.
According to security firm Rapid7, there is no evidence that the vulnerability has been exploited in the wild and no public exploit code is available.
“We still recommend, however, that TeamCity customers upgrade to the fixed version immediately, or else apply one of the vulnerability-specific patches outlined in the JetBrains advisory,” said Caitlin Condon, senior manager of vulnerability research at Rapid7.
“Rapid7 strongly recommends upgrading to the fixed version of the software as soon as possible rather than relying solely on workarounds.”
Even though exploit code doesn’t currently exist, disclosure of vulnerabilities alerts attackers to weaknesses in major products that can be more easily discovered when they know where to look.
The guidance in security advisories should be actioned as soon as possible to prevent any exploits developed in the future from being successful.
“However, it’s worth noting that the absence of a known exploit does not diminish the urgency to apply the recommended security measures,” said SOC Radar.
“History has shown that once a vulnerability becomes public knowledge, it’s only a matter of time before potential threats emerge. It remains a best practice to ensure that software, especially those critical to operations, is updated to the latest secure versions. Proactive steps today can save a lot of reactive efforts in the future.”
