Publicly available exploits incite unwarranted chaos
On March 4, 2024, JetBrains released a blog post detailing the security patch for TeamCity, which is a Continuous Integration and Continuous Delivery (CI/CD) server developed by JetBrains and plays a crucial role within organizations across the globe.
The official vendor released the following bug fixes for two Authentication Bypass vulnerabilities (CVE-2024-27198 and CVE-2024-27199). Shortly, preliminary exploit codes for the vulnerability impacting TeamCity JetBrains were released by the Rapid7 team.
Weighing the criticality of the impacted product and past exploitation of JetBrains (CVE-2023-42793) by the Russian Foreign Intelligence Service (SVR) and two North Korean nation-state threat actors, Diamond Sleet and Onyx Sleet (having the capability of successfully launching supply chain attacks), Cyble Research and Intelligence Labs (CRIL) researchers were actively monitoring the chain of events over the surface, deep and dark web. The investigation led CRIL researchers to observe active exploitation attempts of CVE-2024-27198 detected on Cyble Global Sensor Intelligence (CGSI) from March 5, 2024 onwards.
CRIL researchers also picked up certain activities in the underground that indicate the aftereffects of unpatched JetBrains assets being exploited.
The Authentication Bypass vulnerabilities were discovered by Rapid7 in February 2024. The vulnerabilities CVE-2024-27198 and CVE-2024-27199 fall under the critical and high severity categories, respectively. These vulnerabilities affects all versions of TeamCity On-Premises before version 2023.11.4.
CVE-2024-27198: An authentication bypass vulnerability in the web component of the affected versions of TeamCity that stems from an alternative path issue. An unauthenticated attacker can craft a URL, bypassing authentication checks, which provides them with access to restricted endpoints.
CVE-2024-27199: An authentication bypass vulnerability in the TeamCity web server. A limited number of authenticated endpoints are reachable to unauthenticated attackers due to the path traversal issue impacting the following paths (which may extend beyond these).
/res/
/update/
/.well-known/acme-challenge/
By utilizing the above paths and exploiting the path traversal issue, an attacker can traverse to an alternative endpoint such as:
/app/availableRunners
/app/https/settings/setPort
/app/https/settings/certificateInfo
/app/https/settings/defaultHttpsPort
/app/https/settings/fetchFromAcme
/app/https/settings/removeCertificate
/app/https/settings/uploadCertificate
/app/https/settings/termsOfService
/app/https/settings/triggerAcmeChallenge
/app/https/settings/cancelAcmeChallenge
/app/https/settings/getAcmeOrder
/app/https/settings/setRedirectStrategy
/app/pipeline
/app/oauth/space/createBuild.html
The exploitation of the vulnerability allows modification of a limited number of system configuration on the server and limited disclosure of sensitive information from the server.
TeamCity has released a patch to mitigate both vulnerabilities. Customers can also utilize the automatic update option within TeamCity or the security patch plugin as an alternative.
During blog publication, Cyble’s Odin Scanner indicated 1,780 internet-exposed TeamCity instances (as shown below). Most of the instances were geolocated in the United States, Ireland, and Germany.
Figure 1 – Internet Exposure for TeamCity via ODIN Scanner
**Note: Internet exposed assets do not indicate vulnerable instances but rather provide a view of the attack surface visible to attackers.
Cyble Global Sensor Intelligence (CGSI) observed exploitation attempts of CVE-2024-27198 on March 5, 2024, and onwards. In one of the captured instances captured by CGSI as shown in the figure below, an attacker is attempting to access an authenticated endpoint /app/rest/server by requesting a non-existent resource /hax, appending an HTTP query string ?jsp=/app/rest/server, and further ensuring the arbitrary URI path ends with .jsp by appending an HTTP path parameter segment ;.jsp.
Figure 2 – Screenshot of exploitation attempts observed via CGSI network
Threat actors attempting to exploit vulnerabilities within 24-48 hours of its public disclosure indicates weaponizing publicly available proof-of-concepts, and exploits. The swift action by threat actors challenges the time frame typically required for the organizations to implement patches effectively and emphasize on the proactive countermeasures.
CRIL has been highlighting the impact of such vulnerability disclosures, and TAs utilize the instant availability of their POCs to mass exploit them to gain initial access to unpatched applications.
In this particular instance, vulnerabilities within TeamCity JetBrains have begun to show indications of exploitation and their compromised access sale by IABs in the underground.
A recent post from a nefarious cybercrime forum indicates how quickly TAs try to monetize such cybersecurity developments.
Figure 3 – Screenshot of TA selling TeamCity access over underground forums
The vulnerabilities present in TeamCity by JetBrains demand immediate attention for patching, given that both are authentication bypass vulnerabilities. CVE-2024-27199 has the potential to enable attackers to execute denial-of-service attacks on TeamCity servers and perform man-in-the-middle attacks on client connections. Additionally, CVE-2024-27198 poses a significant risk by allowing a complete compromise of vulnerable TeamCity servers.
The active exploitation attacks witnessed by Cyble Global Sensor Intelligence, the availability of public exploit codes, the presence of internet-exposed TeamCity instances, and the sale of compromised JetBrains access over underground forums collectively highlight the threat emerged by recent vulnerabilities.
Indicators | Indicator Type | Description |
143[.]198[.]150[.]42 | IP Address | IP observed attempting to exploit CVE-2024-27198 |
170[.]64[.]155[.]123 | IP Address | IP observed attempting to exploit CVE-2024-27198 |
165[.]22[.]159[.]187 | IP Address | IP observed attempting to exploit CVE-2024-27198 |
192[.]34[.]62[.]65 | IP Address | IP observed attempting to exploit CVE-2024-27198 |
45[.]55[.]194[.]62 | IP Address | IP observed attempting to exploit CVE-2024-27198 |
24[.]144[.]82[.]64 | IP Address | IP observed attempting to exploit CVE-2024-27198 |
167[.]99[.]48[.]60 | IP Address | IP observed attempting to exploit CVE-2024-27198 |
157[.]230[.]15[.]25 | IP Address | IP observed attempting to exploit CVE-2024-27198 |
170[.]64[.]157[.]36 | IP Address | IP observed attempting to exploit CVE-2024-27198 |
170[.]64[.]220[.]72 | IP Address | IP observed attempting to exploit CVE-2024-27198 |
188[.]166[.]148[.]243 | IP Address | IP observed attempting to exploit CVE-2024-27198 |
https://blog.jetbrains.com/teamcity/2024/03/teamcity-2023-11-4-is-out
https://www.jetbrains.com/privacy-security/issues-fixed
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a