<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cve-2023-42793 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2023-42793/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2023-42793/feed.xml" rel="self" type="application/rss+xml"/><item><title>JetBrains TeamCity CVE-2023-42793 RCE Attempt</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-jetbrains-teamcity-rce/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-jetbrains-teamcity-rce/</guid><description>An attacker attempts to exploit the CVE-2023-42793 vulnerability in JetBrains TeamCity On-Premises by sending a malicious POST request to gain administrative access and achieve remote code execution.</description><content:encoded><![CDATA[<p>The CVE-2023-42793 vulnerability in JetBrains TeamCity On-Premises allows an unauthenticated attacker to perform remote code execution. This vulnerability affects versions prior to 2023.05.4. The vulnerability arises from improper handling of authentication tokens, specifically related to the <code>/app/rest/users/id:1/tokens/RPC2</code> endpoint. An attacker can exploit this by sending a specially crafted POST request. Successful exploitation grants the attacker administrative privileges, potentially leading to full system compromise, data breaches, and further unauthorized access within the network. Detection efforts should focus on monitoring web traffic for suspicious POST requests targeting the identified endpoint.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies a vulnerable JetBrains TeamCity On-Premises instance running a version prior to 2023.05.4.</li>
<li>The attacker crafts a malicious POST request targeting the <code>/app/rest/users/id:1/tokens/RPC2</code> endpoint.</li>
<li>The attacker sends the crafted POST request to the vulnerable TeamCity server.</li>
<li>The TeamCity server improperly processes the request due to the CVE-2023-42793 vulnerability.</li>
<li>The attacker gains unauthorized administrative access to the TeamCity server.</li>
<li>The attacker leverages the gained administrative access to execute arbitrary code on the server.</li>
<li>The attacker establishes persistence on the compromised TeamCity server.</li>
<li>The attacker uses the compromised TeamCity server as a pivot point to move laterally within the network and compromise other systems or exfiltrate sensitive data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2023-42793 can lead to a complete compromise of the JetBrains TeamCity server. This includes unauthorized access to sensitive project data, build configurations, and potentially source code. Furthermore, attackers can leverage the compromised TeamCity server as a stepping stone to infiltrate other systems within the organization's network, leading to widespread data breaches, ransomware deployment, or intellectual property theft. This vulnerability impacts organizations that rely on JetBrains TeamCity for their CI/CD pipeline.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Detect TeamCity CVE-2023-42793 Attempt</code> to your SIEM to detect exploitation attempts based on HTTP requests.</li>
<li>Inspect web server logs for POST requests to <code>/app/rest/users/id:1/tokens/RPC2</code> with a 200 status code, as highlighted in the main search query.</li>
<li>Apply filters to the Sigma rule <code>Detect TeamCity CVE-2023-42793 Attempt</code> to reduce false positives, focusing on uncommon user agents as described in the &quot;known_false_positives&quot; section.</li>
<li>Immediately patch all JetBrains TeamCity On-Premises instances to version 2023.05.4 or later to remediate the CVE-2023-42793 vulnerability, as advised by JetBrains.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>jetbrains</category><category>teamcity</category><category>rce</category><category>cve-2023-42793</category></item></channel></rss>