JetBrains urges swift patching of latest critical TeamCity flaw

JetBrains is encouraging all users of TeamCity (on-prem) to upgrade to the latest version following the disclosure of a critical vulnerability in the CI/CD tool.

Tracked as CVE-2024-23917, the vulnerability has been assigned a provisional 9.8 CVSS score and allows unauthenticated remote attackers to take over vulnerable servers with admin privileges.

"All versions from 2017.1 through 2023.11.2 are affected by this issue," Daniel Gallo, solutions engineer at JetBrains, said in an advisory. "The issue has been patched in 2023.11.3. We recommend upgrading as soon as possible."

The vulnerability only requires attention for admins of on-prem servers since TeamCity Cloud has already been patched. JetBrains also confirmed that no attacks had been detected against TeamCity Cloud, but made no such assertions about the on-prem product.

Patching can be carried out by downloading the latest version, using the automatic update feature within TeamCity itself, or by using the security patch plugin which addresses CVE-2024-23917 only.

JetBrains said it's always best to just upgrade the whole server – as users will then receive all the other security fixes that come with it – rather than just patching the single vulnerability.

• The spyware business is booming despite government crackdowns
• Chinese Coathanger malware hung out to dry by Dutch defense department
• Double trouble for Fortinet customers as pair of critical vulns found in FortiSIEM
• Ivanti devices hit by wave of exploits for latest security hole

If, for whatever reason, any of the patches or mitigations can't be applied immediately, it's recommended that public-facing TeamCity servers should be made inaccessible until the critical flaw is addressed.

The disclosure comes just a few months after it was revealed that state-sponsored attackers from Russia and North Korea were separately targeting TeamCity servers vulnerable to a similar flaw announced in September.

CVE-2023-42793 also registered a 9.8 severity score and activity from foreign offensive cyber units prompted leading Western authorities to issue an advisory, urging swift patching.

There was no evidence to suggest the access the attackers had was used to lay the groundwork for a SolarWinds-like attack, which is always the fear when there are reports of CI/CD compromises.

Instead, Russia's Foreign Intelligence Service (SVR) exploited the vulnerability to move laterally around victim's networks and plant backdoors to facilitate follow-on attacks.

The SVR used the GraphicalProton backdoor in attacks driven by an MO that doesn't appear to have changed much in the past ten years. Russia is well known for its propensity to steal sensitive, confidential information in offensive cyber operations. ®