CVE-2024-27198
📋 TL;DR
CVE-2024-27198 is an authentication bypass vulnerability in JetBrains TeamCity CI/CD servers that allows unauthenticated attackers to perform administrative actions. This affects all TeamCity servers before version 2023.11.4. Attackers can create rogue administrator accounts, modify configurations, and potentially execute arbitrary code.
💻 Affected Systems
- JetBrains TeamCity
📦 What is this software?
Teamcity by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of CI/CD pipeline with ability to inject malicious code into production builds, steal source code and credentials, and establish persistent backdoor access.
Likely Case
Attackers create unauthorized admin accounts, modify build configurations, and potentially deploy malicious code to production environments.
If Mitigated
Limited impact with proper network segmentation, but still risks credential theft and configuration changes.
🎯 Exploit Status
Mass exploitation confirmed with automated attacks creating rogue administrator accounts. Exploit requires no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2023.11.4 and later
Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/
Restart Required: Yes
Instructions:
1. Backup TeamCity configuration and data. 2. Download TeamCity 2023.11.4 or later from JetBrains website. 3. Stop TeamCity service. 4. Install the new version following JetBrains upgrade guide. 5. Restart TeamCity service. 6. Verify version and check for unauthorized accounts.
🔧 Temporary Workarounds
Network Isolation
allRestrict TeamCity server access to trusted IP addresses only using firewall rules.
# Example Linux iptables rule: iptables -A INPUT -p tcp --dport 8111 -s TRUSTED_IP_RANGE -j ACCEPT
# Example Windows Firewall: New-NetFirewallRule -DisplayName "TeamCity Access" -Direction Inbound -LocalPort 8111 -Protocol TCP -RemoteAddress TRUSTED_IP_RANGE -Action Allow
Disable Public Access
allMove TeamCity behind VPN or require authentication proxy for all access.
# Configure reverse proxy with authentication: nginx or Apache with auth module
# Example nginx: auth_basic "Restricted"; auth_basic_user_file /etc/nginx/.htpasswd;
🧯 If You Can't Patch
- Immediately audit all user accounts for unauthorized administrators and remove any suspicious accounts.
- Implement strict network segmentation and firewall rules to limit TeamCity access to only necessary IP addresses.
🔍 How to Verify
Check if Vulnerable:
Check TeamCity version in Administration → Server Administration → Server Health. If version is below 2023.11.4, you are vulnerable.Check Version:
curl -s http://teamcity-server:8111/app/rest/server | grep -o '"version":"[^"]*"'Verify Fix Applied:
Verify version is 2023.11.4 or higher in Administration → Server Administration → Server Health. Check user accounts for any unauthorized administrators.📡 Detection & Monitoring
Log Indicators:
- Unexpected administrator account creation
- Authentication bypass attempts in access logs
- Unusual configuration changes by new users
Network Indicators:
- Unusual HTTP requests to authentication endpoints from untrusted sources
- Traffic patterns indicating automated exploitation
SIEM Query:
source="teamcity.log" AND ("admin account created" OR "authentication bypass" OR "unauthorized access")🔗 References
- https://www.darkreading.com/cyberattacks-data-breaches/jetbrains-teamcity-mass-exploitation-underway-rogue-accounts-thrive
- https://www.jetbrains.com/privacy-security/issues-fixed/
- https://www.darkreading.com/cyberattacks-data-breaches/jetbrains-teamcity-mass-exploitation-underway-rogue-accounts-thrive
- https://www.jetbrains.com/privacy-security/issues-fixed/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-27198
