Global Context (at time of dissemination)
• 5,699 hosts affected globally
• 96% of globally affected hosts with an exposed login page
• 26% of globally affected hosts with remote access capabilities
• 6% of globally affected hosts with file sharing capabilities
Top affected countries:
1. US
2. Germany
3. Ireland
4. Russia
5. UK
Summary
Censys is aware that on March 5, 2024, two new TeamCity vulnerabilities (one critical and one high) were released. According to JetBrains, the vendor of TeamCity assets, “The vulnerabilities may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server.”
Impact
”In late 2023, governments worldwide raised the alarm that the Russian state-backed group APT29 (… the threat actor behind the 2020 SolarWinds attack) was actively exploiting a similar vulnerability in JetBrains TeamCity that could likewise allow software supply chain cyberattacks.” Due to this track record of exploitability, and the fact that TeamCity is a software development platform, the vulnerabilities are likely a higher priority for those with digital supply chain concerns, especially TeamCity customers who are amongst the Fortune 500.
Affected Assets
JetBrains said that all cloud all cloud instances are patched – customers only need to patch on-premises assets. Those assets include all TeamCity on-premises versions through 2023.11.3. Issues have been fixed in version 2023.11.4.
Censys’ Rapid Response Team was able to identify publicly-facing, physical TeamCity assets that are affected by these vulnerabilities. Below are queries that will accurately uncover these assets recently observed from our scans.
Censys ASM Risk Name
JetBrains TeamCity Vulnerability [CVE-2024-27198 and CVE-2024-27199]
Censys ASM Query
Censys Search Queries are shared directly with Censys customers. If you would like to obtain the Censys query to identify global instances related to this issue, or need help, please contact us.
Recommendations for remediation
from JetBrains state that owners of these assets should update affected TeamCity servers, if possible. “To update your server, download the latest version (2023.11.4) or use the automatic update option within TeamCity. This version includes patches for the vulnerabilities described above. If you are unable to update your server to version 2023.11.4, we have also released a security patch plugin so that you can still patch your environment. The security patch plugin can be downloaded using one of the links below and installed on all TeamCity versions through 2023.11.3.
Security patch plugin: TeamCity 2018.2 and newer | TeamCity 2018.1 and older
See the TeamCity plugin installation instructions for information on installing the plugin.” – JetBrains