CVE-2023-42793 – TeamCity Authentication Bypass Flaw: A Critical Threat to CI/CD Servers

When the digital revolution sweeps across industries, CI/CD servers have become the linchpin in our development cycle. Among the myriad of CI/CD tools available, TeamCity by JetBrains has etched its mark, boasting deployments across more than 30,000 global customers. Yet, the greatest strength of an organization can sometimes be its Achilles heel. And for many using TeamCity, this reality has just been underscored by a recent vulnerability revelation.

Whether through its cloud-hosted TeamCity Cloud solution or the on-premises TeamCity deployment, this CI/CD juggernaut powers the development lifecycle of countless organizations. Recent data from Shodan highlights a somewhat alarming fact: over 3,000 on-premises TeamCity servers stand exposed directly to the web.

Now, why should this be of concern? The pivotal role of CI/CD servers isn’t just to streamline and automate our build-test-deploy processes. They guard some of the most valuable treasures of a tech organization: the source code. Alongside this, these servers often house sensitive secrets, and cryptographic keys, and are custodians of build artifacts, which eventually weave into the fabric of our software releases. Simply put, they’re a goldmine for cyber attackers.

With a staggering CVSS score of 9.8, the flaw, christened as CVE-2023-42793, is no minor chink in the armor. This vulnerability, specific to the on-premises version of TeamCity, permits an authentication bypass. What this means is stark and unsettling: without requiring any authentication, malicious actors can achieve remote code execution (RCE) on the compromised server.

Consider the possibilities and implications. An attacker could access, exfiltrate, or even tamper with source code. But the threat doesn’t stop there. With the CI/CD server under their control, cyber adversaries could embed malicious code into the software build process, potentially undermining the integrity of countless software releases, and by extension, the vast user base relying on them.

Given its ease of exploitation and the fact that it doesn’t necessitate any user intervention, the prospects of this vulnerability being weaponized in real-world attacks are significantly high.

“This enables attackers not only to steal source code but also stored service secrets and private keys. And it’s even worse: With access to the build process, attackers can inject malicious code, compromising the integrity of software releases and impacting all downstream users,” Sonar notes.

Security researchers from PT SWARM have reproduced the CVE-2023-42793 flaw. in JetBrains TeamCity.

🔥 We have reproduced the fresh CVE-2023-42793 in JetBrains TeamCity.

Authentication bypass allows an external attacker to gain administrative access to the server and execute any commands on it.

Update your software ASAP! pic.twitter.com/DXp2gJ1HTq

— PT SWARM (@ptswarm) September 25, 2023

Acknowledging the gravity of the situation, JetBrains acted promptly. In the subsequent release, TeamCity version 2023.05.4, the CVE-2023-42793 vulnerability was patched. JetBrains didn’t stop there. For the convenience and safety of its extensive user base, a security patch plugin was rolled out for TeamCity versions spanning from 8.0 onwards.

However, it’s essential to note that JetBrains has declared its intent not to backport the fix. Organizations with legacy versions must, therefore, be proactive in assessing their risk exposure and adopting mitigation measures.