{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2024-27198/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["TeamCity"],"_cs_severities":["critical"],"_cs_tags":["jetbrains","teamcity","authentication-bypass","cve-2024-27198"],"_cs_type":"advisory","_cs_vendors":["JetBrains"],"content_html":"\u003cp\u003eCVE-2024-27198 is a critical authentication bypass vulnerability affecting JetBrains TeamCity on-premises servers. Disclosed in March 2024, this vulnerability allows unauthenticated attackers to perform administrative actions by crafting specific HTTP POST requests. The vulnerability is triggered by improper handling of requests to the \u003ccode\u003e/app/rest/users\u003c/code\u003e and \u003ccode\u003e/app/rest/users/id:1/tokens\u003c/code\u003e endpoints, enabling attackers to bypass authentication checks and create new user tokens with administrative privileges. Successful exploitation grants attackers full control over the TeamCity server, potentially leading to source code compromise, supply chain attacks, and deployment of malicious software. Organizations using vulnerable versions of TeamCity are at high risk and require immediate patching and monitoring.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable JetBrains TeamCity server exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP POST request to the \u003ccode\u003e/app/rest/users\u003c/code\u003e endpoint, bypassing authentication. This request exploits the vulnerability to create a new user account.\u003c/li\u003e\n\u003cli\u003eThe attacker sends another HTTP POST request, this time to the \u003ccode\u003e/app/rest/users/id:1/tokens\u003c/code\u003e endpoint, again bypassing authentication. This creates an administrative token for the newly created user.\u003c/li\u003e\n\u003cli\u003eThe TeamCity server, due to the vulnerability, incorrectly processes these requests as authenticated, creating the new user and token.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly created administrative token to authenticate to the TeamCity server's administrative interface.\u003c/li\u003e\n\u003cli\u003eThe attacker gains full administrative access to the TeamCity server.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies build configurations, injects malicious code into build processes, or exfiltrates sensitive data such as source code and API keys.\u003c/li\u003e\n\u003cli\u003eThe attacker compromises the software supply chain by deploying backdoored software builds through the compromised TeamCity instance.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2024-27198 allows attackers to gain complete control over JetBrains TeamCity servers. This can lead to the compromise of source code repositories, build artifacts, and deployment pipelines. Attackers can inject malicious code into software builds, leading to supply chain attacks affecting downstream users. Due to the sensitive nature of TeamCity deployments, a successful attack can lead to significant financial losses, reputational damage, and legal liabilities. The vulnerability poses a critical risk to organizations using affected TeamCity versions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eTeamCity Authentication Bypass Attempt\u003c/code\u003e to your SIEM to detect exploitation attempts (log source: \u003ccode\u003ewebserver\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eEnsure your Suricata installation is properly configured to monitor HTTP traffic, as required by the provided Suricata rule (reference: Suricata data source).\u003c/li\u003e\n\u003cli\u003eMonitor HTTP POST requests to \u003ccode\u003e/app/rest/users\u003c/code\u003e and \u003ccode\u003e/app/rest/users/id:1/tokens\u003c/code\u003e endpoints for suspicious activity (reference: Suricata rule).\u003c/li\u003e\n\u003cli\u003eApply the latest TeamCity patch to address CVE-2024-27198 (reference: JetBrains advisory).\u003c/li\u003e\n\u003cli\u003eInvestigate and remediate any detected exploitation attempts by reviewing affected systems and logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-03T12:00:00Z","date_published":"2024-05-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-05-jetbrains-teamcity-auth-bypass/","summary":"Exploitation of CVE-2024-27198 in JetBrains TeamCity allows unauthenticated attackers to bypass authentication and gain administrative access by sending malicious HTTP POST requests to specific API endpoints.","title":"JetBrains TeamCity Authentication Bypass Vulnerability (CVE-2024-27198)","url":"https://feed.craftedsignal.io/briefs/2024-05-jetbrains-teamcity-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2024-27198","version":"https://jsonfeed.org/version/1.1"}