Urgent: CVE-2024-27198 & CVE-2024-27199 Flaws in TeamCity Demand Your Attention

If you use TeamCity On-Premises for your continuous integration and delivery (CI/CD) pipeline, there’s breaking news you need to act on immediately. Two critical security vulnerabilities have surfaced that could allow attackers to essentially hijack your TeamCity server without even needing a password!

The Danger: What Could Happen

The vulnerabilities, identified as CVE-2024-27198 and CVE-2024-27199, expose the underbelly of TeamCity’s security mechanisms, revealing weaknesses that could be exploited to perform unauthorized administrative actions. CVE-2024-27198, with a CVSS score of 9.8, enables an authentication bypass that could allow attackers to perform admin actions, posing a critical threat. Meanwhile, CVE-2024-27199, scored at 7.3, involves a path traversal flaw that could enable attackers to perform limited admin actions. This means they could:

• Change how your software is built and deployed
• Steal sensitive data like source code and project details
• Inject malicious code into your builds

“The vulnerabilities may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server,” the company warns.

Who’s At Risk

All versions of TeamCity On-Premises are vulnerable. If you run your own TeamCity server, you need to act. Fortunately, if you use JetBrains’ TeamCity Cloud, you’re already protected.

Why the Urgency?

Typically, technical details of vulnerabilities are kept under wraps for some time, allowing teams to patch systems. However, in this case, cybersecurity firm Rapid7 (who discovered the vulnerabilities) released full details. This gives attackers a blueprint for exploitation, so patching before that happens is vital.

The Good News

JetBrains (the makers of TeamCity) and the cybersecurity experts at Rapid7 have worked swiftly to address this risk. Fixes are available, so there are clear actions you can take.

What You MUST Do Right Now

• Option 1: Update Immediately The best defense is to upgrade to the latest secure TeamCity version, 2023.11.4. This covers the vulnerabilities and other recent security improvements.

• Option 2: Patch if You Can’t Update Yet If upgrading is difficult right now, JetBrains has released a special security patch plugin. Install it on your existing TeamCity (even older versions) to close the security holes. You’ll find download links and instructions in the original security bulletin.

Extra Caution: Publicly Accessible Servers

If your TeamCity server can be reached from the internet, and you haven’t patched it yet, take it offline temporarily until you do! This is a serious threat.