CI/CD platform TeamCity exposed to critical pre-auth RCE bug, amid disclosure spat

JetBrains' platform "a suitable vector to position an attacker to perform a supply chain attack" if compromised warns Rapid7.

A platform used to help build and deploy software, TeamCity, can be trivially taken over by a remote and unauthenticated attacker – and all on-premises versions of the CI/CD server are exposed, provider JetBrains warned on Monday after facing pressure to disclose the critical bug.

JetBrains says that TeamCity has “30,000 organisations around the world” using the platform, including Citi, ICBC, HP, Samsung, Ubisoft, and Visa. Approximately 2,000 servers appeared publicly exposed as The Stack published, according to one scan that we could not immediately verify.

JetBrains initially pushed out a controversial silent update that emphasised an updated version of the software included “important security fixes” but did not disclose their severity nor CVEs; a move that means customers cannot adequately prioritise how urgently they should patch.

The dangerous pre-authentication, remote code execution (pre-auth RCE) vulnerability has been allocated CVE-2024-27198 with a CVSS 9.8 rating. TeamCity customers should urgently upgrade to version 2023.11.4. 

No attacks have yet been reported in the wild but are likely to follow shortly given the vulnerability’s severity and the extent to which the platform represents a compelling target for those with bad intentions.

JetBrains’ guidance is here

Cybersecurity company Rapid7, whose Principle Security Researcher Stephen Fewer identified and disclosed the vulnerability, warned on March 4: “Compromising a TeamCity server allows an attacker full control over all TeamCity projects, builds, agents and artifacts, and as such is a suitable vector to position an attacker to perform a supply chain attack” 

Privately held multinational JetBrains, which boasts over three million customers, complained in a March 4 advisory that “Rapid7 (the reporter of the vulnerabilities) is strictly adhering to its vulnerability disclosure policy, which means their team will publish the full technical details of these vulnerabilities within 24 hours of this announcement. It is, therefore, imperative you upgrade or patch your server immediately.”

Rapid7’s analysis of the TeamCity vulnerability is  here. (It also disclosed another, less severe authentication bypass vulnerability, CVE-2024-27199.)

A timeline of the vulnerability disclosure published by Rapid7 showed that JetBrains had requested on February 21 that it be left to release patches “privately” and was given a firm “no” (for these reasons, among others) so it had time to coordinate disclosure should it have chosen to do so.  

It appears to have attempted to push a “silent patch” late Sunday/early Monday regardless. Rapid7 promptly wrote to the company “expressing concern that a patch was released without notifying or coordinating with our team, and without publishing advisories for the security issues.” 

Rapid7 has now published a detailed technical analysis.

How Russian spooks hacked Microsoft, the gap in its “morally indefensible” response, and what CISOs can learn from the attack