Warning: Authentication bypass leading to RCE on JetBrains TeamCity server currently exploited, Patch Immediately!

Reference:
Advisory #2023-119

Version:
1.0

Affected software:
JetBrains TeamCity (Continuous Integration and Deployment Server)

Type:
Remote Code Execution (RCE)

CVE/CVSS:
CVE-2023-42793: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

JetBrains - https://blog.jetbrains.com/teamcity/2023/09/cve-2023-42793-vulnerability-post-mortem/

Risks

Ransomware gangs are now exploiting a flaw (CVE-2023-42793) that allows unauthenticated attackers to gain remote code execution (RCE). It's an authentication bypass flaw that can be exploited by low-complexity attacks that don't require user Interaction.

The CVE has a score of 9.8 and the Impact on Confidentiality, Integrity and Availability is high.

Description

The critical vulnerability of score 9.8 was discovered by the Sonar team In Jetbrains TeamCity.

According to Jetbrains; if abused, the flaw could enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to perform a remote code execution (RCE) attack and gain administrative control of the TeamCity server.

Recommended Actions

The Centre for Cyber Security Belgium strongly recommends Windows system administrators to take the following actions:

• Update the TeamCity server to the version: 2023.05.4

Or, when using older TeamCity versions (8.0+) and not able to upgrade quickly enough:

• Install the plugin from the Jetbrains webpage. (https://blog.jetbrains.com/teamcity/2023/09/cve- 2023-42793-vulnerability-post-mortem/)

References

NIST - https://nvd.nist.gov/vuln/detail/CVE-2023-42793

BleepingComputer - https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-exploiting-critical-teamcity-rce-flaw/ 

SecurityWeek - https://www.securityweek.com/recently-patched-teamcity-vulnerability-exploited-to-hack-servers/?web_view=true