CVE-2021-43193
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on JetBrains TeamCity servers by exploiting the agent push functionality. It affects all TeamCity installations before version 2021.1.2. Attackers can potentially gain full control of affected systems.
💻 Affected Systems
- JetBrains TeamCity
📦 What is this software?
Teamcity by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, steal sensitive data, deploy ransomware, or pivot to other systems in the network.
Likely Case
Attackers gain remote code execution capabilities, potentially compromising build pipelines, stealing source code, credentials, and sensitive configuration data.
If Mitigated
Limited impact with proper network segmentation and access controls, but still poses significant risk to the CI/CD pipeline integrity.
🎯 Exploit Status
Exploitation requires no authentication and has been actively exploited in the wild. The vulnerability is in the agent push mechanism that allows remote code execution.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2021.1.2 or later
Vendor Advisory: https://blog.jetbrains.com/blog/2021/11/08/jetbrains-security-bulletin-q3-2021/
Restart Required: Yes
Instructions:
1. Backup your TeamCity configuration and data. 2. Download TeamCity 2021.1.2 or later from the official JetBrains website. 3. Stop the TeamCity service. 4. Install the updated version following JetBrains upgrade documentation. 5. Restart the TeamCity service. 6. Verify the upgrade was successful.
🔧 Temporary Workarounds
Disable Agent Push Functionality
allTemporarily disable the vulnerable agent push functionality until patching can be completed.
Navigate to TeamCity Administration > Agents > Agent Push Configuration and disable agent push
Network Segmentation
allRestrict network access to TeamCity servers to only trusted IP addresses and networks.
Configure firewall rules to allow TeamCity access only from authorized IP ranges
🧯 If You Can't Patch
- Immediately restrict network access to TeamCity servers using firewall rules to allow only trusted IP addresses
- Disable the agent push functionality in TeamCity administration settings as a temporary mitigation
🔍 How to Verify
Check if Vulnerable:
Check TeamCity version in Administration > Server Administration > Server Health. If version is below 2021.1.2, the system is vulnerable.Check Version:
Check TeamCity web interface at Administration > Server Administration > Server Health or examine the TeamCity server logs for version information.Verify Fix Applied:
Verify TeamCity version shows 2021.1.2 or later in Administration > Server Administration > Server Health. Test agent push functionality to ensure it works without security issues.📡 Detection & Monitoring
Log Indicators:
- Unusual agent push requests
- Unexpected process executions on TeamCity server
- Suspicious network connections from TeamCity to external systems
Network Indicators:
- Unusual outbound connections from TeamCity server
- Exploitation attempts on TeamCity agent push endpoints
SIEM Query:
source="teamcity.logs" AND ("agent push" OR "remote code" OR "unauthorized access")