CVE-2023-42793, a critical authentication bypass vulnerability exposing users to potential remote code execution has been disclosed by JetBrains.
Here’s what you need to know.
What is CVE-2023-42793?
CVE-2023-42793 is a critical authentication bypass vulnerability in on-premises instances of the JetBrains TeamCity CI/CD server as disclosed by the company on September 20, 2023. The, affecting versions 2023.05.3 and below of TeamCity On-Premises, has been publicly disclosed by JetBrains and is said to enable an unauthenticated, remote attacker to gain administrative access thus possibly taking complete control of the TeamCity server
The popular Software development firm has fixed the critical vulnerability in TeamCity CI/CD (continuous integration and continuous delivery) solution, which might allow an authenticated attacker to achieve RCE and gain control of the server. Successful exploitation of the vulnerability has the potential to allow unauthenticated attackers with HTTP(S) access to a TeamCity server to perform Remote Code Execution and possibly gain administrative control of the server, subsequently exposing users to potential supply chain attack vectors.
According to security researcher with Sonar who reported the flaw, Stefan Schiller, no user interaction is required to trigger the vulnerability. Also, the vulnerability is said to enable attackers to steal not only source code but also stored service secrets and private keys. “And it’s even worse:”, Shiller adds, “With access to the build process, attackers can inject malicious code, compromising the integrity of software releases and impacting all downstream users”.
Does CVE-2023-42793 affect me?
All on-prem versions of JetBrains TeamCity prior to 2023.05.4 are affected by CVE-2023-42793. However, it is important to note that TeamCity Cloud is not affected and TeamCity Cloud servers have already been upgraded to the latest version, according to JetBrains publications.
To update your server, download the latest version (2023.05.4) or use the automatic update option within TeamCity.
Has CVE-2023-42793 been actively exploited in the wild?
As of September 26, 2023, in-the-wild exploitation of CVE-2023-42793 has not been detected, and there is still no public exploit code available.
However, Exploits in the wild of the vulnerability are expected to emerge soon, due to the fact that the vulnerability does not require a valid account on the target instance (making it relatively trivial to exploit). Schiller also noted that “Shodan currently shows over 3,000 on-premises TeamCity servers accessible from the Internet”.
How to fix CVE-2023-42193
To fix CVE-2023-42193 It is strongly recommended to immediately upgrade to version 2023.05.4, the fixed version of the software. However, in its advisory JetBrains notes that hot fixes (vulnerability-specific security patch plugins) are available as a temporary workaround for TeamCity customers who are not able to upgrade to 2023.05.4, the Security patch plugin are the following:
- TeamCity 2018.2 to 2023.05.3
- TeamCity 8.0 to 2018.1
The plugins are supported on TeamCity 8.0+ and will mitigate the specific CVE-2023-42793 vulnerability but, nevertheless, they do not address any other security bug or issue included in the full 2023.05.4 upgrade.
For users operating on TeamCity 2019.2 and later, it is possible to enable the plugin without restarting the TeamCity server. In the case of versions older than 2019.2, after the plugin has been installed it is required to perform a server restart.
For the latest and most updated information, customers of TeamCity should refer to the JetBrains advisory on CVE-2023-42793.
To update your TeamCity server to the fixed version 2023.05.4 you should:
Perform a complete backup
Ensure you have a comprehensive backup of your TeamCity server, encompassing the database, Data Directory, logs, config files, and any other custom data. This backup is crucial for potential rollback in case of upgrade issues.
Download the latest TeamCity 2023.05.4 distribution
Visit the JetBrains website and download the latest TeamCity 2023.05.4 server distribution in the appropriate format for your installation type: *.zip, *.tar.gz, Docker image, or *.exe installer.
Windows installation
For Windows installations, execute the new 2023.05.4 installer executable. Specify your existing TeamCity Home Directory and follow the on-screen instructions to uninstall the previous version and install the new version.
Linux or Docker Installation
- If you’re on Linux or using Docker, remove the old TeamCity web application files while preserving the Data Directory and database.
- Extract the contents of the new distribution archive into your TeamCity Home Directory, replacing the old files.
Review additional upgrade instructions:
Thoroughly review the upgrade instructions for any supplementary steps, such as restoring customized config files, external database drivers, etc.
Reapply custom changes
If you made any modifications to the bundled Tomcat server or service settings, reapply them after the upgrade.
Start the Upgraded TeamCity Service
Initiate the upgraded TeamCity service and allow time for the agents to undergo auto-upgrades.
Verify the upgrade in the TeamCity web UI:
- Access the TeamCity web UI and navigate to the Maintenance page.
- Confirm that the upgrade was successful and didn’t encounter any errors.
- Finally, click the button to complete the data structure upgrade to the new format.
Next steps
Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: