{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2023-42793/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["TeamCity"],"_cs_severities":["critical"],"_cs_tags":["jetbrains","teamcity","rce","cve-2023-42793"],"_cs_type":"advisory","_cs_vendors":["JetBrains"],"content_html":"\u003cp\u003eThe CVE-2023-42793 vulnerability in JetBrains TeamCity On-Premises allows an unauthenticated attacker to perform remote code execution. This vulnerability affects versions prior to 2023.05.4. The vulnerability arises from improper handling of authentication tokens, specifically related to the \u003ccode\u003e/app/rest/users/id:1/tokens/RPC2\u003c/code\u003e endpoint. An attacker can exploit this by sending a specially crafted POST request. Successful exploitation grants the attacker administrative privileges, potentially leading to full system compromise, data breaches, and further unauthorized access within the network. Detection efforts should focus on monitoring web traffic for suspicious POST requests targeting the identified endpoint.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable JetBrains TeamCity On-Premises instance running a version prior to 2023.05.4.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious POST request targeting the \u003ccode\u003e/app/rest/users/id:1/tokens/RPC2\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted POST request to the vulnerable TeamCity server.\u003c/li\u003e\n\u003cli\u003eThe TeamCity server improperly processes the request due to the CVE-2023-42793 vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized administrative access to the TeamCity server.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the gained administrative access to execute arbitrary code on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence on the compromised TeamCity server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised TeamCity server as a pivot point to move laterally within the network and compromise other systems or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2023-42793 can lead to a complete compromise of the JetBrains TeamCity server. This includes unauthorized access to sensitive project data, build configurations, and potentially source code. Furthermore, attackers can leverage the compromised TeamCity server as a stepping stone to infiltrate other systems within the organization's network, leading to widespread data breaches, ransomware deployment, or intellectual property theft. This vulnerability impacts organizations that rely on JetBrains TeamCity for their CI/CD pipeline.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect TeamCity CVE-2023-42793 Attempt\u003c/code\u003e to your SIEM to detect exploitation attempts based on HTTP requests.\u003c/li\u003e\n\u003cli\u003eInspect web server logs for POST requests to \u003ccode\u003e/app/rest/users/id:1/tokens/RPC2\u003c/code\u003e with a 200 status code, as highlighted in the main search query.\u003c/li\u003e\n\u003cli\u003eApply filters to the Sigma rule \u003ccode\u003eDetect TeamCity CVE-2023-42793 Attempt\u003c/code\u003e to reduce false positives, focusing on uncommon user agents as described in the \u0026quot;known_false_positives\u0026quot; section.\u003c/li\u003e\n\u003cli\u003eImmediately patch all JetBrains TeamCity On-Premises instances to version 2023.05.4 or later to remediate the CVE-2023-42793 vulnerability, as advised by JetBrains.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-jetbrains-teamcity-rce/","summary":"An attacker attempts to exploit the CVE-2023-42793 vulnerability in JetBrains TeamCity On-Premises by sending a malicious POST request to gain administrative access and achieve remote code execution.","title":"JetBrains TeamCity CVE-2023-42793 RCE Attempt","url":"https://feed.craftedsignal.io/briefs/2024-01-02-jetbrains-teamcity-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2023-42793","version":"https://jsonfeed.org/version/1.1"}