CVE-2022-24335
📋 TL;DR
This vulnerability in JetBrains TeamCity allows attackers to exploit a race condition during agent registration via XML-RPC, potentially enabling unauthorized agent registration or privilege escalation. It affects TeamCity instances before version 2021.2. Organizations using vulnerable TeamCity versions for CI/CD pipelines are at risk.
💻 Affected Systems
- JetBrains TeamCity
📦 What is this software?
Teamcity by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
Attackers could register malicious build agents with elevated privileges, leading to code execution, data exfiltration, or compromise of the entire CI/CD pipeline.
Likely Case
Unauthorized agent registration allowing attackers to execute arbitrary build steps, potentially injecting malicious code into software builds.
If Mitigated
With proper network segmentation and authentication controls, impact is limited to the TeamCity server itself rather than the broader infrastructure.
🎯 Exploit Status
Exploitation requires timing precision and understanding of TeamCity's agent registration process.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2021.2 and later
Vendor Advisory: https://blog.jetbrains.com/blog/2022/02/08/jetbrains-security-bulletin-q4-2021/
Restart Required: Yes
Instructions:
1. Backup TeamCity configuration and data. 2. Download TeamCity 2021.2 or later from JetBrains website. 3. Stop TeamCity service. 4. Install the new version following JetBrains upgrade guide. 5. Restart TeamCity service. 6. Verify agent connections and build configurations.
🔧 Temporary Workarounds
Disable XML-RPC agent registration
allTemporarily disable vulnerable XML-RPC agent registration endpoint
Modify TeamCity configuration to disable XML-RPC agent registration (consult TeamCity documentation for specific configuration changes)
Network segmentation
allRestrict access to TeamCity XML-RPC endpoints
Configure firewall rules to limit XML-RPC access to trusted IP addresses only
🧯 If You Can't Patch
- Implement strict network access controls to limit XML-RPC endpoints to trusted sources only
- Enable detailed logging for agent registration events and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check TeamCity version via web interface (Administration → Global Settings) or server logs. Versions before 2021.2 are vulnerable.Check Version:
Check TeamCity web interface at /admin/admin.html?item=diagnostics or examine server startup logsVerify Fix Applied:
Verify TeamCity version is 2021.2 or later and test agent registration functionality works correctly.📡 Detection & Monitoring
Log Indicators:
- Multiple rapid agent registration attempts from same source
- Agent registrations with unusual timing patterns
- XML-RPC registration requests with malformed data
Network Indicators:
- Unusual XML-RPC traffic patterns to TeamCity agent registration endpoints
- Multiple connection attempts to XML-RPC port from untrusted sources
SIEM Query:
source="teamcity.log" AND ("agent registration" OR "XML-RPC") AND (status="failed" OR count > threshold)