Overview
JetBrains TeamCity versions before 2023.11.4 contain an authentication bypass vulnerability in admin functionalities due to improper access control. This vulnerability allows attackers with access to the system to perform administrative actions without proper authentication credentials. The vulnerability was disclosed on March 4, 2024. CISA has identified CVE-2024-27198 as being exploited and is known to be used in ransomware campaigns.
Technical details
TeamCity contains a flaw in its admin functionality access control mechanisms that allows unauthenticated or insufficiently authenticated users to bypass authentication checks and perform administrative operations. The vulnerability exists in the authentication layer where certain admin endpoints fail to properly validate user credentials or session tokens before executing privileged operations.
The vulnerability is classified as CWE-287 (Improper Authentication) , CWE-269 (Improper Access Control (Authority, Authentication, and Access Control)) andCWE-639 (Authorization Bypass Through User-Controlled Key) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating its critical nature.
Impact
An attacker exploiting this vulnerability could gain complete administrative control over the TeamCity instance. This allows them to: create new user accounts with elevated privileges, modify existing user credentials, access sensitive build configurations and artifacts, modify build pipelines to inject malicious code, access version control credentials stored in TeamCity, steal intellectual property and source code, disrupt CI/CD operations, deploy malicious software, and potentially pivot to other systems managed by TeamCity. In enterprise environments, this could compromise the entire software development pipeline.
Mitigation and workarounds
Update TeamCity to version 2023.11.4 or later. JetBrains recommends users immediately upgrade to the patched version. The update process typically involves: 1) Stopping the TeamCity service, 2) Backing up the current installation and data directory, 3) Downloading and installing the latest version from JetBrains website, 4) Restarting the TeamCity service and verifying the update. The following versions include the necessary fixes: 2023.11.4 and later, 2024.1 and later.
As temporary workarounds: implement network-level access controls to restrict access to teamcity to authorized users and networks only. use firewall rules to limit which ip addresses can access the teamcity instance.; disable or restrict access to admin functionalities until the patch can be applied, if possible through configuration options.; place teamcity behind a reverse proxy (nginx, apache) with additional authentication layers to add defense-in-depth., and implement web application firewall (waf) rules to detect and block suspicious admin endpoint access attempts..
CISA's recommendation: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Additional resources
Source: This report was generated using AI
