Executive Summary

    On March 4th, 2024, software development company JetBrains disclosed two critical vulnerabilities (CVE-2024-27198 and CVE-2024-27199) in their Continuous Integration / Continuous Deliver (CI/CD) product, TeamCity.  The vulnerabilities are considered CRITICAL severity and could allow an unauthenticated attacker to “bypass authentication checks and gain administrative control of that TeamCity server.” 

    Full technical details of the vulnerability have already been published, and the vulnerability has been determined to be easy to successfully exploit, remotely attackable, and does not require credentials.  Additionally, other security firms have reported observing widespread exploit attempts targeting these vulnerabilities, and Lodestone expects to see continued attempted exploitation of these vulnerabilities by a broad range of cyber-criminal actors.  

    These vulnerabilities were discovered and reported to the vendor by a legitimate security company, so a patch was already available at time of disclosure.  We highly recommend patching systems as soon as possible. 

    Affected Systems or Products

    The following products are reported vulnerable, according to JetBrains: 

    • all versions of TeamCity “On-Premise” servers prior to version 2023.11.4 

    Mitigations / Workarounds

    JetBrains has provided a fix in their automatic update system for TeamCity.  They have additionally provided a security patch plugin that can be manually downloaded and applied according to their provided instructions. 

    Patches

    JetBrains TeamCity release version 2023.11.4 provides a full fix. 

    JetBrains provides patches for TeamCity 2018.2 and newer and 2018.1 and older on their site detailed here.

    How Beazley Security is responding

    Beazley Security is monitoring client perimeter devices discovered by our Attack Surface Management Solution, Karma, to identify potentially impacted devices and support organizations in remediation of any issues found.

    Sources