Two Critical Security Vulnerabilities Actively Exploited, CISA Warns

KEV Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two recently patched security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerabilities affect JetBrains TeamCity and the Windows CNG Key Isolation Service.

JetBrains TeamCity CVE-2023-42793 (CVSS score 9.8)

The JetBrains TeamCity vulnerability, tracked as CVE-2023-42793, is a critical authentication bypass flaw that allows an unauthenticated attacker with HTTP(S) access to a TeamCity server to perform a remote code execution attack and gain administrative control of the server. This could allow attackers to steal source code, service secrets, and private keys, take control over attached build agents, and poison build artifacts.

Sonar’s security researcher Stefan Schiller warns that malevolent actors might harness this vulnerability to filch crucial assets like source code, service secrets, and private keys. The repercussions don’t end there. Threat actors could also hijack attached build agents and contaminate build artifacts, jeopardizing the integrity of build pipelines.

The vulnerability affects on-premise versions of JetBrains TeamCity 8.0 and above. JetBrains has released a security patch plugin for these versions to specifically address the flaw.

Windows CNG Key Isolation Service CVE-2023-28229 (CVSS score 7.0)

The Windows CNG Key Isolation Service vulnerability, tracked as CVE-2023-28229, is an elevation of privilege vulnerability that allows a local authenticated attacker to gain elevated privileges on the system. By winning a race condition, an attacker could exploit this vulnerability to obtain limited SYSTEM privileges.

The vulnerability affects all versions of Windows 7 and above. Microsoft patched the vulnerability in its April 2023 Patch Tuesday updates.

CISA Recommendations

CISA has recommended that all organizations using JetBrains TeamCity or Windows update their systems to the latest versions as soon as possible. The directive is straightforward – apply vendor-provided fixes for the identified vulnerabilities by October 25, 2023, to minimize the associated risks.