CVE-2024-27198 / CVE-2024-27199
Outrepassement d’authentification dans JetBrains TeamCity
TL ; DR
Remote
|
✅
|
Authenticated
|
❌
|
Default config
|
✅
|
Source
|
🌍/ 🔬
|
Affected versions
TeamCity On-Premises jusqu’à 2023.11.3 inclus
Details
As of March 4, 2024, JetBrains has released a new version of its TeamCity tool, a platform for deployment and continuous integration. While the company’s blog post does not provide information on this matter, two other related publications were made on the same day: one by the provider itself and the other by the research teams of the company Rapid7, detailing vulnerabilities.
These articles outline the two identified vulnerabilities:
- CVE-2024-27198: Authentication bypass allowing actions with administrator-level privileges (CVSSv3.1: 9.8 [Critical])
- CVE-2024-27199: Authentication bypass allowing limited actions as an administrator (CVSSv3.1: 7.3 [High])
The second vulnerability, with a lower criticality, is due to a weakness in authentication verification, allowing a path traversal attack. This attack involves circumventing a restriction by using relative paths instead of absolute paths to access a resource. Although potentially not exhaustive, the list of accessible paths limits the possible actions of an attacker to information retrieval, denial of service, or, in specific conditions, monitoring communications.
The first vulnerability, on the other hand, is much more impactful. It allows an attacker to perform arbitrary actions, potentially leading to remote code execution (RCE), due to a weakness in the access control mechanism.
Detection
Detection rules are available to detect attempts to exploit these vulnerabilities.
The available rules are as follows:
2051505
|
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE- 2024-27198) – Vulnerability Check
|
2051506
|
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) – Admin User Creation Attempt
|
2051507
|
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27198) – Auth Token Creation Attempt
|
2051508
|
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) – Vulnerability Check
|
2051509
|
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M1
|
2051510
|
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M2
|
2051511 |
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M3
|
2051512
|
ET WEB_SPECIFIC_APPS JetBrains TeamCity Authentication Bypass Attempt (CVE-2024-27199) M4
|
The Gatewatcher purple team also suggests the following, more general rules, to detect an attempt to exploit these vulnerabilities.
# CVE-2024-27198
alert http $EXTERNAL_NET any -> $HOME_NET any (msg: “GW LAB Possible CVE-2024-27198 exploitation attempt”; flow: to_server,established; http.method; content: “POST”; http.uri; content:”?”; content: “jsp=/”; distance:0; content: “|3B|”; distance: 0; content:”.jsp”; distance: 0; isdataat:!1,relative; flowbits:set,TeamCity.CVE-2024-27198; classtype:web-application-attack; metadata: provider Gatewatcher, performance_impact Medium, signature_severity Major, risk 80, mitre_tactic_id T0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public-Facing_Application; sid:100001; )
alert http $EXTERNAL_NET any -> $HOME_NET any (msg: “GW LAB Possible CVE-2024-27198 successful exploitation (adduser)”; flow: to_client,established; flowbits:isset,TeamCity.CVE-2024-27198; http.stat_code; content:”200″;http.response_body; content: “|3C|user username=|22|”; content:”SYSTEM_ADMIN”; distance:0; metadata: provider Gatewatcher, performance_impact Medium, signature_severity Major, risk 95, mitre_tactic_id T0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public-Facing_Application; sid:100002; )
alert http $EXTERNAL_NET any -> $HOME_NET any (msg: “GW LAB Possible CVE-2024-27198 successful exploitation (token)”; flow: to_client,established; flowbits:isset,TeamCity.CVE-2024-27198; http.stat_code; content:”200″;http.response_body; content: “|3C|token name=|22|”; content:”value=|22|”; distance:0; metadata: provider Gatewatcher, performance_impact Medium, signature_severity Major, risk 95, mitre_tactic_id T0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public-Facing_Application; sid:100003; )
# CVE-2024-27199
alert http $EXTERNAL_NET any -> $HOME_NET any (msg: “GW LAB Possible CVE-2024-27199 exploitation attempt M1″; flow: to_server,established; http.uri.raw; content:”/res/”; content: “../”; distance:0; pcre:”/\/(app|admin)\//”; classtype:web-application-attack; metadata: provider Gatewatcher, performance_impact Medium, signature_severity Minor, risk 70, mitre_tactic_id T0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public-Facing_Application; sid:100004; )
alert http $EXTERNAL_NET any -> $HOME_NET any (msg: “GW LAB Possible CVE-2024-27199 exploitation attempt M2″; flow: to_server,established; http.uri.raw; content:”/update/”; content: “../”; distance:0; pcre:”/\/(app|admin)\//”; classtype:web-application-attack; metadata: provider Gatewatcher, performance_impact Medium, signature_severity Minor, risk 70, mitre_tactic_id T0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public-Facing_Application; sid:100005; )
alert http $EXTERNAL_NET any -> $HOME_NET any (msg: “GW LAB Possible CVE-2024-27199 exploitation attempt M3″; flow: to_server,established; http.uri.raw; content:”/.well-known/acme-challenge/”; content: “../”; distance:0; pcre:”/\/(app|admin)\//”; classtype:web-application-attack; metadata: provider Gatewatcher, performance_impact Medium, signature_severity Minor, risk 70, mitre_tactic_id T0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public-Facing_Application; sid:100006; )
Note: Since each information system is unique, it is essential to test the effects of any new rules in a qualification environment to prevent any degradation of performance or false positives.
Correction
As mentioned in the introduction, the publisher has already released a new version (2023.11.4) that addresses these vulnerabilities.
A patch has also been provided for users who are unable to perform a full update within a reasonable timeframe.
As a reminder, at the end of 2023, an RCE-type vulnerability was identified in the same tool. A few days later, this vulnerability was already exploited in attacks by various ransomware groups. It is strongly recommended to update TeamCity instances as soon as possible, especially if they are exposed on the internet
Author : Purple Team Gatewatcher