Aperçu
JetBrains TeamCity versions before 2023.11.4 contain an authentication bypass vulnerability in admin functionalities due to improper access control. This vulnerability allows attackers with access to the system to perform administrative actions without proper authentication credentials. La vulnérabilité a été divulguée le March 4, 2024. CISA a identifié CVE-2024-27198 comme étant exploitée et est connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
TeamCity contains a flaw in its admin functionality access control mechanisms that allows unauthenticated or insufficiently authenticated users to bypass authentication checks and perform administrative operations. The vulnerability exists in the authentication layer where certain admin endpoints fail to properly validate user credentials or session tokens before executing privileged operations.
La vulnérabilité est classifiée comme CWE-287 (Improper Authentication) , CWE-269 (Improper Access Control (Authority, Authentication, and Access Control)) etCWE-639 (Authorization Bypass Through User-Controlled Key) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 9.8 (CRITICAL) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indiquant sa nature critical.
Impact
An attacker exploiting this vulnerability could gain complete administrative control over the TeamCity instance. This allows them to: create new user accounts with elevated privileges, modify existing user credentials, access sensitive build configurations and artifacts, modify build pipelines to inject malicious code, access version control credentials stored in TeamCity, steal intellectual property and source code, disrupt CI/CD operations, deploy malicious software, and potentially pivot to other systems managed by TeamCity. In enterprise environments, this could compromise the entire software development pipeline.
Mitigation et contournements
Update TeamCity to version 2023.11.4 or later. JetBrains recommends users immediately upgrade to the patched version. The update process typically involves: 1) Stopping the TeamCity service, 2) Backing up the current installation and data directory, 3) Downloading and installing the latest version from JetBrains website, 4) Restarting the TeamCity service and verifying the update. Les versions suivantes incluent les correctifs nécessaires : 2023.11.4 and later, 2024.1 and later.
Comme contournements temporaires : implement network-level access controls to restrict access to teamcity to authorized users and networks only. use firewall rules to limit which ip addresses can access the teamcity instance.; disable or restrict access to admin functionalities until the patch can be applied, if possible through configuration options.; place teamcity behind a reverse proxy (nginx, apache) with additional authentication layers to add defense-in-depth., et implement web application firewall (waf) rules to detect and block suspicious admin endpoint access attempts..
Recommandation de CISA : Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Ressources additionnelles
Source : Ce rapport a été généré par IA
