Getty Images/iStockphoto

Critical JetBrains TeamCity vulnerabilities under attack

Exploitation activity has started against two vulnerabilities in JetBrains TeamCity, which has been targeted previously by nation-state threat actors such as Russia's Cozy Bear.

JetBrains confirmed Tuesday that two critical vulnerabilities in the company's TeamCity product are under attack.

On Sunday, JetBrains disclosed two vulnerabilities tracked as CVE-2024-27198 and CVE-2024-27199 that affect TeamCity on-premises versions through 2023.11.3 and could allow an unauthenticated attacker to gain administrative control of a server running the CI/CD platform. Stephen Fewer, principal security researcher at Rapid7, was credited for discovery and reported the vulnerabilities to JetBrains in February.

[Editor's note: JetBrains' disclosure was initially dated Sunday, March 3, but later changed to March 4 because of an apparent time zone discrepancy.]

Rapid7 and JetBrains observed exploitation activity this week, though the scope remains unclear. It's critical that users update and apply mitigations because a previous TeamCity vulnerability was exploited in attacks by a Russian nation-state actor known as Cozy Bear, as well as North Korean threat actors last year.

Daniel Gallo, TeamCity solutions engineer at JetBrains, provided technical analysis and mitigation steps in a blog post Sunday. "JetBrains' policy typically involves withholding technical details of vulnerabilities for a longer period of time after a release to ensure thorough mitigation; however, this accelerated timeline necessitates an immediate server upgrade or patching to prevent exploitation," Gallo wrote in the blog.

JetBrains also urged users to apply the security patch plug-in if they are unable to update servers. Customers are instructed to take servers offline if they can't immediately apply mitigations. The security vendor added that TeamCity cloud servers were patched and "verified that they weren't attacked."

TechTarget Editorial contacted JetBrains about reports of exploitation. Gallo provided the following statement: "We have received at least one report of the vulnerability being exploited in a TeamCity On-Premises server."

TechTarget Editorial also contacted Rapid7 regarding exploitation activity. "Rapid7 has seen attempted exploitation but has not yet confirmed any successful code execution as of this morning," the company said in an email.

Rapid7 also detailed the vulnerabilities and provided recommendations in a blog post Monday. While both vulnerabilities allow for authentication bypass, researchers emphasized that CVE-2024-27198 is the most severe of the two with a 9.8 CVSS score. The blog warned that an attacker could exploit the vulnerability to create a new administrator account with a password the threat actor controls, as well as generate a new administrator access token. Both techniques would allow the attacker to gain full control of the victim's TeamCity server.

"Compromising a TeamCity server allows an attacker full control over all TeamCity projects, builds, agents and artifacts, and as such is a suitable vector to position an attacker to perform a supply chain attack," the blog said.

In October, Microsoft warned of a software supply chain threat after North Korean nation-state actors exploited previous TeamCity vulnerabilities. After successfully exploiting the TeamCity flaws, attackers deployed malware to maintain persistent access to a victim environment.

The Shadowserver Foundation, a nonprofit cybersecurity organization, also observed exploitation activity for CVE-2024-27198 and CVE-2024-27199, which it said began on Monday.

Disclosure disagreements

While Rapid7 and JetBrains agreed on the severity of the vulnerabilities, there was a conflict with the disclosure timeline. Rapid7 accused JetBrains of breaking the coordinated vulnerability disclosure rules and silently patching the two flaws. The security vendor claimed JetBrains released a fixed version of TeamCity on March 3 without notifying Rapid7 that fixes were implemented and available to the public.

"When Rapid7 contacted JetBrains about their uncoordinated vulnerability disclosure, JetBrains published an advisory on the vulnerabilities without responding to Rapid7 on the disclosure timeline. JetBrains later responded to indicate that CVEs had been published," Rapid7 wrote in the blog post.

The disclosure timeline also revealed that Rapid7 initially contacted JetBrains on Feb. 15 to report the vulnerabilities. Rapid7 followed up Feb. 19 after JetBrains did not reply. On Feb. 20, Rapid7 provided a technical analysis and JetBrains confirmed it was able to reproduce the issues.

The dispute began Feb. 21, when JetBrains apparently floated the idea of silently patching the flaws. "JetBrains suggests releasing patches privately before a public disclosure of the issues. Rapid7 responds, emphasizing the importance of coordinated disclosure and our stance against silently patching vulnerabilities," the blog said.

JetBrains then asked Rapid7 what it considers to be silent patching. Rapid7 sent the vendor additional material, including a separate blog post, titled "The Hidden Harm of Silent Patches," from 2022 by Tod Beardsley, principle security research manager at Rapid7.

"When you silently patch, you are communicating vulnerability details, exclusively, to skilled criminal attackers who are specifically targeting your product, while leaving your customers in the dark," Beardsley wrote in the blog post.

The last correspondence Rapid7 had with JetBrains prior to public disclosure was on March 1, when JetBrains informed the vendor it was "still investigating the issue, its root cause and affected versions."

Gallo responded to Rapid7's silent patching accusation in a follow-up blog post Monday. He emphasized that JetBrains "properly communicated the timeline" from its point of view. JetBrains' timeline did not include the initial Feb. 15 notification from Rapid7.

Gallo outlined JetBrains' suggested public disclosure plan, which was to release the fixed version and workaround while simultaneously communicating the vulnerabilities to customers through email rather than a public advisory. JetBrains said it would publish the CVE and a blog post "a few days" after the email notifications were sent. Full technical details would follow once a significant number of customers were upgraded.

Gallo argued that JetBrains believes full disclosure could allow "less skilled attackers" to exploit the vulnerabilities on vulnerable TeamCity instances. He claimed Rapid7 "rejected" the vendor's disclosure suggestions.

"At this point, we made a decision not to make a coordinated disclosure with Rapid7 as we strongly believe that publishing all technical details at the same time as releasing a fix allows anyone to immediately exploit the issue before all customers have had a chance to patch their servers," Gallo wrote in the blog. "To reiterate, we never had any intention to release a fix silently without making the full details public."

TechTarget Editorial asked JetBrains about the disclosure process.

"Rapid7 decided to fully disclose details of the vulnerabilities within several hours after we released a fixed version and security patch," Gallo said. "Unfortunately, this decision may have provided attackers with the opportunity to exploit the vulnerability before some customers had the chance to patch or upgrade their servers. It's important to note that for another recent critical vulnerability we addressed (CVE-2024-23917), where full disclosure has not yet been made, we are not aware of any attempts to exploit it."

Arielle Waldman is a Boston-based reporter covering enterprise security news.

Dig Deeper on Threats and vulnerabilities