Fixing CVE-2024-27198 and CVE-2024-27199 in JetBrains' TeamCity

In the rapidly evolving world of cyber security, two new vulnerabilities have emerged, demanding immediate attention from the tech community. CVE-2024-27198 and CVE-2024-27199 are critical vulnerabilities that have been discovered in JetBrains’ TeamCity, a popular continuous integration and continuous delivery (CI/CD) server.  

These vulnerabilities pose significant security risks, potentially allowing attackers to execute arbitrary code or access sensitive information. This blog post aims to shed light on these vulnerabilities, their impact, and the steps required to mitigate them. 

What are CVE-2024-27198 and CVE-2024-27199?

At their core, CVE-2024-27198 and CVE-2024-27199 represent serious security flaws within the TeamCity server, a popular Continuous Integration and Continuous Deployment (CI/CD) tool used by developers worldwide to automate the building, testing, and deployment of software. 

CVE-2024-27198 is an authentication bypass vulnerability. It allows attackers to circumvent authentication mechanisms, granting unauthorized access to the TeamCity server. This could potentially enable an attacker to manipulate build processes, access sensitive information, or even alter the codebase, leading to a wide array of security concerns. 

CVE-2024-27199, on the other hand, is a command injection vulnerability. This flaw permits an attacker to execute arbitrary commands on the server hosting TeamCity. The implications of this vulnerability are far-reaching, as it could lead to the compromise of the underlying server, data theft, or the deployment of malicious code into the CI/CD pipeline. 

Both vulnerabilities pose a significant threat to the integrity and security of software development and deployment processes. Understanding the gravity of these vulnerabilities is the first step toward mitigating their potential impact. 

Do they affect me?

Determining whether CVE-2024-27198 and CVE-2024-27199 impact your organization is critical. These vulnerabilities are specific to JetBrains’ TeamCity, a CI/CD platform widely adopted for automating software build, test, and deployment processes.

If your development or operations teams utilize TeamCity, particularly versions prior to the patch releases addressing these vulnerabilities, your infrastructure could be at risk. 

Who is at risk? 

• Organizations using JetBrains’ TeamCity, especially those not running the latest patched versions. 
• Teams with exposed TeamCity instances to the internet or within large networks, increasing the attack surface. 
• Operations reliant on TeamCity for critical deployment pipelines, where unauthorized access or code execution could have severe repercussions.  

Assessing your risk 

• Version Check: First, identify the version of TeamCity you are running. JetBrains has released specific version numbers that are affected by these vulnerabilities. 
• Configuration Review: Assess how your TeamCity server is configured. Instances exposed to the internet or configured without strong authentication mechanisms are at a higher risk. 
• Usage Patterns: Consider how TeamCity integrates into your CI/CD pipeline. Highly sensitive projects with extensive dependencies or those critical to your business may elevate the potential impact of these vulnerabilities. 
  

Have CVE-2024-27198 and CVE-2024-27199 been actively exploited in the wild? 

As of the latest available information, there have been no confirmed instances of CVE-2024-27198 or CVE-2024-27199 being actively exploited in the wild.

However, the history of cybersecurity incidents teaches us that the period between the public disclosure of vulnerabilities and their active exploitation can be incredibly short.

Cyber criminals and malicious actors often act swiftly to leverage newly disclosed vulnerabilities before widespread patching occurs. 

The importance of proactive measures 

The absence of reported exploits does not equate to safety. On the contrary, it provides a critical window for preventative action. Given the severity of these vulnerabilities and the central role of TeamCity in many organizations’ CI/CD pipelines, the potential for targeted attacks is high.

The nature of these vulnerabilities—allowing for authentication bypass and arbitrary command execution—makes them particularly attractive targets for attackers looking to infiltrate and compromise systems.

How to fix CVE-2024-27198 and CVE-2024-27199

JetBrains has acknowledged these vulnerabilities and released updates to mitigate the risks associated with CVE-2024-27198 and CVE-2024-27199. To protect your systems, it is crucial to: 

• Identify Vulnerable Versions: Review your TeamCity installations and identify any instances running the affected versions. 
• Apply Patches Promptly: JetBrains has provided patches for these vulnerabilities. Apply these updates to your TeamCity installations without delay to mitigate the risk. 
• Review Access Controls: As a precautionary measure, review and tighten access controls around your TeamCity environments. Ensure that only necessary personnel have access and that permissions are appropriately restricted. 
• Monitor for Anomalies: Increase monitoring of your TeamCity installations for any unusual activities. Early detection of suspicious behavior could prevent or mitigate potential damage. 
• Follow Best Practices: Beyond patching, adhere to cyber security best practices, including regular updates, backups, and the principle of least privilege. 

Next steps 

Each new vulnerability is a reminder of where we stand and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: 

1. 2023 Vulnerability watch reports 
2. The MITRE ATT&CK framework: Getting started
3. The true impact of exploitable vulnerabilities for 2024
4. Multi-cloud security challenges – a best practice guide
5. How to properly tackle zero-day threats