Image source: Shutterstock
Move follows reports this week of threat actors actively exploiting the flaw in ransomware attacks.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a recently disclosed authentication bypass flaw in the JetBrains TeamCity CI/CD platform (CVE-2023-42793) to its catalog of known exploited vulnerabilities (KEV). The move follows recent reports about ransomware actors actively exploiting the flaw to compromise several organizations.
All federal civilian executive branch agencies have until October 25 to apply JetBrains’s patch for the flaw or to discontinue use of the product till they are able to mitigate against the vulnerability.
TeamCity is a general-purpose continuous integration and continuous delivery platform that organizations use to automate software building, testing and delivery. The Java-based build management and CI server has a much smaller market share than its main rivals Jenkins and Cloudbees Jenkins. But JetBrains counts many major organizations as its customers including Citibank, Google, P&G, Volkswagen and the New York Times.
Here’s what you need to know about the vulnerability.
CVE-2023-42794 affects all versions of TeamCity On-Premises. The vulnerability gives unauthenticated attackers a way to bypass authentication controls and perform a remote code execution attack on an affected system. An attacker who successfully exploits the vulnerability can gain full administrative control of TeamCity. JetBrains disclosed the vulnerability on Sept. 20. The company has identified the flaw as being of critical severity and assigned it a near-maximum score of 9.8 on the CVSS scale. Researchers from Sonar reported the vulnerability to JetBrains.
What’s with the exploit activity? Earlier this week, cyberthreat intelligence company Prodaft said it had observed several ransomware groups starting to weaponize CVE-2023-42793 and include the exploit in their attack chains. “Our #BLINDSPOT platform has detected multiple organizations already exploited by threat actors over the past three days. Unfortunately, most of them will have a huge headache in the upcoming weeks,” Prodaft said in a tweet.
ShadowServer Foundation, the non-profit that gathers intelligence on cyber threats from around the Internet said it had discovered 1,296 unique IPs vulnerable to CVE-2023-42793 as of October 30. Out of that, 351 Ips were located in the US, 144 in Germany, 102 in China and 74 in the United Kingdom. ShadowServer reported finding vulnerable instances in several other countries as well including Ireland, Singapore, Australia, Canada and Poland.
Here’s what you need to do if affected.
JetBrains addressed CVE-2023-42794 in TeamCity version 2023.05.4 and has recommended that affected organizations implement the update as soon as possible. Here’s where you can find the update.
What if I cannot immediately update to TeamCity 2023.05.4?
JetBrains has released what it calls a security patch plugin that organizations—which cannot immediately update—can use to patch their environment. The plugin will patch the RCE vulnerability and can be enabled without restarting the TeamCity server on versions 2019.2 and later. For TeamCity versions prior to 2019.2, a system restart is necessary. Here’s where you can find the plugins: for TeamCity 2018.2 to 2023.05.3 | for TeamCity 8.0 to 2018.1 (PLEASE NOTE: Clicking on the link directly downloads the plugins). Here again is JetBrain’s advisory from where you can download the plugins directly as well.