CVE-2024-27198 / CVE-2024-27199
Outrepassement d’authentification dans JetBrains TeamCity

Le Lab Gatewatcher D

TL ; DR


Remote 


 


Authenticated 


 


Default config 


✅ 


Source 


🌍/ 🔬 


 

 

 

Affected versions

TeamCity On-Premises jusqu’à 2023.11.3 inclus

Details


As of March 4, 2024, JetBrains has released a new version of its TeamCity tool, a platform for deployment and continuous integration. While the company’s blog post does not provide information on this matter, two other related publications were made on the same day: one by the provider itself and the other by the research teams of the company Rapid7, detailing vulnerabilities.

These articles outline the two identified vulnerabilities:

  • CVE-2024-27198: Authentication bypass allowing actions with administrator-level privileges (CVSSv3.1: 9.8 [Critical])
  • CVE-2024-27199: Authentication bypass allowing limited actions as an administrator (CVSSv3.1: 7.3 [High])

 

 

The second vulnerability, with a lower criticality, is due to a weakness in authentication verification, allowing a path traversal attack. This attack involves circumventing a restriction by using relative paths instead of absolute paths to access a resource. Although potentially not exhaustive, the list of accessible paths limits the possible actions of an attacker to information retrieval, denial of service, or, in specific conditions, monitoring communications.

The first vulnerability, on the other hand, is much more impactful. It allows an attacker to perform arbitrary actions, potentially leading to remote code execution (RCE), due to a weakness in the access control mechanism.

Detection


Detection rules are available to detect attempts to exploit these vulnerabilities.

The available rules are as follows:

2051505


          ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE- 2024-27198) – Vulnerability Check 


2051506


          ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) – Admin User Creation Attempt 


2051507


          ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) – Auth Token Creation Attempt 


2051508


          ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) – Vulnerability Check


2051509


          ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M1


 

2051510


 

           ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M2



2051511


          ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M3


 

2051512


 

           ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M4


 

The Gatewatcher purple team also suggests the following, more general rules, to detect an attempt to exploit these vulnerabilities.

 

# CVE-2024-27198 

alert http $EXTERNAL_NET any -> $HOME_NET any (msg: “GW LAB Possible CVE-2024-27198 exploitation attempt”; flow: to_server,established; http.method; content: “POST”; http.uri; content:”?”; content: “jsp=/”; distance:0; content: “|3B|”; distance: 0; content:”.jsp”; distance: 0; isdataat:!1,relative; flowbits:set,TeamCity.CVE-2024-27198; classtype:web-application-attack; metadata: provider Gatewatcher, performance_impact Medium, signature_severity Major, risk 80, mitre_tactic_id T0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public-Facing_Application; sid:100001;  ) 

alert http $EXTERNAL_NET any -> $HOME_NET any (msg: “GW LAB Possible CVE-2024-27198 successful exploitation (adduser)”; flow: to_client,established; flowbits:isset,TeamCity.CVE-2024-27198; http.stat_code; content:”200″;http.response_body; content: “|3C|user username=|22|”; content:”SYSTEM_ADMIN”; distance:0; metadata: provider Gatewatcher, performance_impact Medium, signature_severity Major, risk 95, mitre_tactic_id T0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public-Facing_Application; sid:100002;  ) 

alert http $EXTERNAL_NET any -> $HOME_NET any (msg: “GW LAB Possible CVE-2024-27198 successful exploitation (token)”; flow: to_client,established; flowbits:isset,TeamCity.CVE-2024-27198; http.stat_code; content:”200″;http.response_body; content: “|3C|token name=|22|”; content:”value=|22|”; distance:0; metadata: provider Gatewatcher, performance_impact Medium, signature_severity Major, risk 95, mitre_tactic_id T0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public-Facing_Application; sid:100003;  ) 

# CVE-2024-27199 

alert http $EXTERNAL_NET any -> $HOME_NET any (msg: “GW LAB Possible CVE-2024-27199 exploitation attempt M1″; flow: to_server,established;  http.uri.raw; content:”/res/”; content: “../”; distance:0; pcre:”/\/(app|admin)\//”; classtype:web-application-attack; metadata: provider Gatewatcher, performance_impact Medium, signature_severity Minor, risk 70, mitre_tactic_id T0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public-Facing_Application; sid:100004;  ) 

alert http $EXTERNAL_NET any -> $HOME_NET any (msg: “GW LAB Possible CVE-2024-27199 exploitation attempt M2″; flow: to_server,established; http.uri.raw; content:”/update/”; content: “../”; distance:0; pcre:”/\/(app|admin)\//”; classtype:web-application-attack; metadata: provider Gatewatcher, performance_impact Medium, signature_severity Minor, risk 70, mitre_tactic_id T0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public-Facing_Application; sid:100005;  ) 

alert http $EXTERNAL_NET any -> $HOME_NET any (msg: “GW LAB Possible CVE-2024-27199 exploitation attempt M3″; flow: to_server,established; http.uri.raw; content:”/.well-known/acme-challenge/”; content: “../”; distance:0; pcre:”/\/(app|admin)\//”; classtype:web-application-attack; metadata: provider Gatewatcher, performance_impact Medium, signature_severity Minor, risk 70, mitre_tactic_id T0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public-Facing_Application; sid:100006;  ) 

Note: Since each information system is unique, it is essential to test the effects of any new rules in a qualification environment to prevent any degradation of performance or false positives.

Correction


As mentioned in the introduction, the publisher has already released a new version (2023.11.4) that addresses these vulnerabilities.

A patch has also been provided for users who are unable to perform a full update within a reasonable timeframe.

As a reminder, at the end of 2023, an RCE-type vulnerability was identified in the same tool. A few days later, this vulnerability was already exploited in attacks by various ransomware groups. It is strongly recommended to update TeamCity instances as soon as possible, especially if they are exposed on the internet

 

 

Author : Purple Team Gatewatcher