JetBrains TeamCity CVE-2023-42793 RCE Attempt
An attacker attempts to exploit the CVE-2023-42793 vulnerability in JetBrains TeamCity On-Premises by sending a malicious POST request to gain administrative access and achieve remote code execution.
The CVE-2023-42793 vulnerability in JetBrains TeamCity On-Premises allows an unauthenticated attacker to perform remote code execution. This vulnerability affects versions prior to 2023.05.4. The vulnerability arises from improper handling of authentication tokens, specifically related to the /app/rest/users/id:1/tokens/RPC2 endpoint. An attacker can exploit this by sending a specially crafted POST request. Successful exploitation grants the attacker administrative privileges, potentially leading to full system compromise, data breaches, and further unauthorized access within the network. Detection efforts should focus on monitoring web traffic for suspicious POST requests targeting the identified endpoint.
Attack Chain
- The attacker identifies a vulnerable JetBrains TeamCity On-Premises instance running a version prior to 2023.05.4.
- The attacker crafts a malicious POST request targeting the
/app/rest/users/id:1/tokens/RPC2endpoint. - The attacker sends the crafted POST request to the vulnerable TeamCity server.
- The TeamCity server improperly processes the request due to the CVE-2023-42793 vulnerability.
- The attacker gains unauthorized administrative access to the TeamCity server.
- The attacker leverages the gained administrative access to execute arbitrary code on the server.
- The attacker establishes persistence on the compromised TeamCity server.
- The attacker uses the compromised TeamCity server as a pivot point to move laterally within the network and compromise other systems or exfiltrate sensitive data.
Impact
Successful exploitation of CVE-2023-42793 can lead to a complete compromise of the JetBrains TeamCity server. This includes unauthorized access to sensitive project data, build configurations, and potentially source code. Furthermore, attackers can leverage the compromised TeamCity server as a stepping stone to infiltrate other systems within the organization's network, leading to widespread data breaches, ransomware deployment, or intellectual property theft. This vulnerability impacts organizations that rely on JetBrains TeamCity for their CI/CD pipeline.
Recommendation
- Deploy the Sigma rule
Detect TeamCity CVE-2023-42793 Attemptto your SIEM to detect exploitation attempts based on HTTP requests. - Inspect web server logs for POST requests to
/app/rest/users/id:1/tokens/RPC2with a 200 status code, as highlighted in the main search query. - Apply filters to the Sigma rule
Detect TeamCity CVE-2023-42793 Attemptto reduce false positives, focusing on uncommon user agents as described in the "known_false_positives" section. - Immediately patch all JetBrains TeamCity On-Premises instances to version 2023.05.4 or later to remediate the CVE-2023-42793 vulnerability, as advised by JetBrains.
Detection coverage 2
Detect TeamCity CVE-2023-42793 Attempt
criticalDetects attempts to exploit CVE-2023-42793 in JetBrains TeamCity On-Premises by identifying suspicious POST requests to the RPC2 endpoint.
Detect TeamCity CVE-2023-42793 Exploitation via User Agent
highDetects exploitation of CVE-2023-42793 by looking for specific user agents often used in exploitation attempts.
Detection queries are available on the platform. Get full rules →