JetBrains releases urgent advisory on vulnerabilities affecting TeamCity

Czech software giant JetBrains has advised users to urgently patch two vulnerabilities affecting all on-premises versions of its TeamCity product, which is used by developers to test and exchange software code before its release.

JetBrains published the advisory on Sunday about the vulnerabilities CVE-2024-27198 and CVE-2024-27199 — noting that both were discovered last month by Stephen Fewer, principal security researcher at Rapid7.

“The vulnerabilities may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server,” the company said.

“TeamCity Cloud servers have already been patched, and we have verified that they weren’t attacked.”

The urgency around patching the bugs was increased due to a minor dispute between Rapid7 and JetBrains around the reporting of the vulnerabilities.

In its own notice about the issues, Rapid7 said they reported the vulnerabilities to JetBrains on February 15 and went back and forth with the company for six days about them.

Rapid7 has a strict policy against “silent patching” — where companies quietly patch reported vulnerabilities without notifying customers. Many cybersecurity experts say the practice leaves defenders in the dark about significant issues and does not give researchers time to test whether patches have fully addressed an issue.

JetBrains suggested releasing patches privately before public disclosure of the issue, which Rapid7 objected to. JetBrains then stopped responding to messages until March 1, when they said the issues were still being investigated.

Rapid7 then discovered that JetBrains released a fixed version of TeamCity on March 3 without notifying them that fixes had been implemented and were generally available.

JetBrains did not respond to requests for comment but said in its advisory that Rapid7 is “strictly adhering to its vulnerability disclosure policy, which means their team will publish the full technical details of these vulnerabilities within 24 hours of this announcement.”

“It is, therefore, imperative you upgrade or patch your server immediately,” JetBrains said.

“JetBrains’ policy typically involves withholding technical details of vulnerabilities for a longer period of time after a release to ensure thorough mitigation; however, this accelerated timeline necessitates an immediate server upgrade or patching to prevent exploitation. If your server is publicly accessible over the internet, and you are unable to immediately perform one of the mitigation steps described below, we strongly recommend making your server inaccessible until mitigation actions have been completed.”

JetBrains provided a range of options for customers that include simply updating servers, as well as other mitigations for those unable to apply the patch.

Rapid7 said CVE-2024-27198 is the most severe of the vulnerabilities because it “allows for a complete compromise of a vulnerable TeamCity server by a remote unauthenticated attacker.”

“Compromising a TeamCity server allows an attacker full control over all TeamCity projects, builds, agents and artifacts, and as such is a suitable vector to position an attacker to perform a supply chain attack,” Rapid7 noted.

“The second vulnerability, CVE-2024-27199, allows for a limited amount of information disclosure and a limited amount of system modification, including the ability for an unauthenticated attacker to replace the HTTPS certificate in a vulnerable TeamCity server with a certificate of the attacker's choosing.”

A spokesperson for Rapid7 noted that TeamCity is a frequent target of nation-state hackers. Both Russia and North Korea have been implicated in attack campaigns targeting TeamCity servers over the last year.

Government agencies in the U.S., Poland and the U.K. said in December that Russia’s Foreign Intelligence Service (SVR) was seen “using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments.”

They warned that exploitation of a TeamCity server would “provide malicious actors with access to that software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes — access a malicious actor could further use to conduct supply chain operations.”