In recent months a vulnerability in the JetBrains TeamCity software (CVE-2023-42793) has been abused to achieve unauthenticated remote code execution in affected servers. Researchers at Rapid7 have analyzed the vulnerability and created a Metasploit module to showcase this exploit. SonarSource originally discovered the vulnerability on September 26th, 2023, and as of December 13th, 2023 CISA reported use by the Russian Foreign Intelligence Service.
This vulnerability comes from a request interceptor (allows for customized middleware behavior) inside the authentication mechanism. JetBrains’ implementation of the authorization check skips requests matching any path that begins with /**, allowing attackers to access source code and service secrets. An attacker could theoretically use this entrypoint to inject malicious code produced by these pipelines, which could lead to end users being affected.
According to the CVE, all versions of TeamCity before 2023.05.4 are vulnerable. Among the 3,400 TeamCity instances observed, approximately 45.53% (1,548 instances) are running versions before 2023.05.4. Below you can see a graph of the top 10 vulnerable versions.
We can view the list of hosts that may be vulnerable to this attack by using the following Censys search query:
services.software: (vendor: JetBrains and product: TeamCity)
The majority of these instances live in cloud environments, particularly in the United States, Germany, Ireland, and Russia.
A significant number of these hosts are present in American and German ISPs such as Amazon (16509), Microsoft (8075), Hetzner (24940), OVH (16276), and more, with 1,416 hosts presenting 1,548 instances of TeamCity.
What can be done?
- Censys ASM customers will have access to a new risk that will identify potentially vulnerable TeamCity servers.
- Refer to CISA’s guide to check your TeamCity instance for indicators of compromise
- Check for exposed TeamCity servers using this Censys Search query
- Update to the latest version of the TeamCity software.
- If you’re unable to upgrade your server in the short term, adjust your firewall settings or implement other access controls to make it inaccessible from the internet