Software development tool company JetBrains is urging customers to apply updates that fix a critical-severity authentication bypass flaw in certain instances of its continuous integration and continuous deployment tool, TeamCity CI/CD.
JetBrains released version 2023.05.4 to fix the flaw (CVE-2023-42793) on Sept. 18, and said that on-premises instances of the TeamCity CI/CD server are impacted. TeamCity is a tool that helps automate the processes for building, testing and deploying software applications. Because these types of servers have access to source code and the data related to building and deploying this source code, they are considered a “high-value target for attackers,” according to researchers with Sonar’s vulnerability research team, which discovered the flaw.
“The vulnerability may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to perform a remote code execution (RCE) attack and gain administrative control of the TeamCity server,” according to JetBrains’ security advisory released last week.
Researchers with Sonar said that TeamCity is a “widely used” CI/CD server that is deployed by more than 30,000 customers globally - however, of note, that number includes both on-premises and cloud-hosted servers, and the issue does not impact TeamCity Cloud. According to Shodan, at least 3,000 on-premises servers are directly exposed to the internet.
If attackers were able to successfully exploit the flaw and launch a remote code execution attack, they would potentially be able to leverage their access to carry out further malicious activities, including stealing source code or private keys and taking control of attached build agents. Stefan Schiller, vulnerability researcher with Sonar, said that the flaw could also be used as a potential supply-chain attack vector.
“With access to the build process, attackers can inject malicious code, compromising the integrity of software releases and impacting all downstream users,” said Schiller.
Caitlin Condon, senior manager of vulnerability research for Rapid7, said on Sept. 25 that Rapid7 researchers are not aware of any in-the-wild exploitation for the flaw, and no public exploit code is currently available. Meanwhile, Sonar researchers said they would not be disclosing technical details for the flaw at this time.
Both Sonar and Rapid7 researchers recommended that TeamCity customers upgrade to the fixed version immediately, and Rapid7 researchers said that customers unable to upgrade or apply fixes “should consider taking the server offline until the vulnerability can be mitigated.”
“Because this vulnerability does not require a valid account on the target instance and is trivial to exploit, it is likely that this vulnerability will be exploited in the wild,” according to Schiller. “We strongly advise all TeamCity users to apply the latest patch provided by JetBrains as soon as possible.”