CVE-2024-27198 and CVE-2024-27199: JetBrains TeamCity Authentication Bypass Vulnerabilities Explained

On March 4, 2024, JetBrains disclosed two critical vulnerabilities affecting JetBrains TeamCity CI/CD server products [1]. CVE-2024-27198 and CVE-2024-27199 are authentication bypass vulnerabilities with a CVSS score of 9.8 (Critical) and 7.3 (High), respectively. CVE-2024-27198 has a higher severity score as it can be exploited for unauthenticated remote code execution. Since adversaries may take full control of the TeamCity CI/CD servers and exploit them for supply chain attacks, organizations are advised to patch their vulnerable TeamCity servers as soon as possible.

In this blog, we explained how the JetBrains TeamCity CVE-2024-27198 and CVE-2024-27199 vulnerabilities work and how organizations can defend against CVE-2024-27198 and CVE-2024-27199 attacks.

JetBrains TeamCity CVE-2024-27198 and CVE-2024-27199 Vulnerabilities Explained

JetBrains TeamCity is a continuous integration and continuous delivery (CI/CD) server, and it is widely adopted across a range of industries, from startups to large enterprises. On March 4, 2024, JetBrains disclosed two authentication bypass vulnerabilities affecting TeamCity On-Premises products. CVE-2024-27198 and CVE-2024-27199 vulnerabilities have CVSS scores of 9.8 (Critical) and 7.3 (High), respectively. While CVE-2024-27199 vulnerability leads to unauthorized information disclosure and system modification in a limited way, CVE-2024-27198 vulnerability may lead to unauthenticated remote code execution and can be exploited by adversaries to take full control of the TeamCity CI/CD servers. The vulnerabilities affect all TeamCity On-Premises versions 2023.11.3 and prior. JetBrains released fixes to address both vulnerabilities and organizations are advised to patch their TeamCity servers to 2023.11.4 or later.

How JetBrains TeamCity CVE-2024-27198 Exploit Works?

CVE-2024-27198 vulnerability is caused by a CWE-288 weakness found in BaseController class of web-openapi.jar library [2]. When an API endpoint receives a request appended with. jsp, the BaseController class allows the request to bypass authentication. Adversaries can use this vulnerability to access privileged information and execute remote commands with administrator privileges. 

The example HTTP POST request below exploits CVE-2024-27198 vulnerability to add a new administrator user. Note the ";.jsp" located after the API endpoint.

JetBrains TeamCity CVE-2024-27198 Vulnerability Exploit Example

How JetBrains TeamCity CVE-2024-27199 Exploit Works?

CVE-2024-27199 vulnerability is caused by a CWE-23 weakness found in many API endpoints [2]. Normally, these endpoints require authentication prior to disclosing requested information. However, the CVE-2024-27199 vulnerability allows adversaries to use double dot path segment "/../" to bypass and traverse alternative endpoint bypassing authentication. 

The example HTTP GET request below exploits CVE-2024-27199 vulnerability to view diagnostic information without authentication.

JetBrains TeamCity CVE-2024-27199 Vulnerability Exploit Example

This vulnerability also allows adversaries to access /app/https/settings/uploadCertificate without authentication. This unauthenticated access can be exploited by attackers to upload a new HTTPS certificate for the TeamCity server and change the port number the HTTPS service listens on.

How Picus Helps Simulate JetBrains TeamCity CVE-2024-27198 and CVE-2024-27199 Attacks?

We also strongly suggest simulating the JetBrains TeamCity CVE-2024-27198 and CVE-2024-27199 vulnerabilities to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as Citrix Bleed, Follina, and Looney Tunables, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for JetBrains TeamCity CVE-2024-27198 and CVE-2024-27199  vulnerability exploitation attacks:

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address JetBrains TeamCity CVE-2024-27198 and CVE-2024-27199  vulnerabilities in preventive security controls. Currently, Picus Labs validated the following signatures for JetBrains TeamCity CVE-2024-27198 and CVE-2024-27199  vulnerabilities:

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial  of the Picus Complete Security Validation Platform.

References

[1] D. Gallo, "Additional Critical Security Issues Affecting TeamCity On-Premises (CVE-2024-27198 and CVE-2024-27199) – Update to 2023.11.4 Now," The JetBrains Blog. Available: https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/. [Accessed: Mar. 05, 2024]

[2] "CVE-2024-27198 and CVE-2024-27199: JetBrains TeamCity Multiple Authentication Bypass Vulnerabilities (FIXED)," Rapid7, Mar. 04, 2024. Available: https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/. [Accessed: Mar. 05, 2024]