<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cve-2024-27198 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2024-27198/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 May 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2024-27198/feed.xml" rel="self" type="application/rss+xml"/><item><title>JetBrains TeamCity Authentication Bypass Vulnerability (CVE-2024-27198)</title><link>https://feed.craftedsignal.io/briefs/2024-05-jetbrains-teamcity-auth-bypass/</link><pubDate>Fri, 03 May 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-05-jetbrains-teamcity-auth-bypass/</guid><description>Exploitation of CVE-2024-27198 in JetBrains TeamCity allows unauthenticated attackers to bypass authentication and gain administrative access by sending malicious HTTP POST requests to specific API endpoints.</description><content:encoded><![CDATA[<p>CVE-2024-27198 is a critical authentication bypass vulnerability affecting JetBrains TeamCity on-premises servers. Disclosed in March 2024, this vulnerability allows unauthenticated attackers to perform administrative actions by crafting specific HTTP POST requests. The vulnerability is triggered by improper handling of requests to the <code>/app/rest/users</code> and <code>/app/rest/users/id:1/tokens</code> endpoints, enabling attackers to bypass authentication checks and create new user tokens with administrative privileges. Successful exploitation grants attackers full control over the TeamCity server, potentially leading to source code compromise, supply chain attacks, and deployment of malicious software. Organizations using vulnerable versions of TeamCity are at high risk and require immediate patching and monitoring.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a vulnerable JetBrains TeamCity server exposed to the internet.</li>
<li>The attacker sends a crafted HTTP POST request to the <code>/app/rest/users</code> endpoint, bypassing authentication. This request exploits the vulnerability to create a new user account.</li>
<li>The attacker sends another HTTP POST request, this time to the <code>/app/rest/users/id:1/tokens</code> endpoint, again bypassing authentication. This creates an administrative token for the newly created user.</li>
<li>The TeamCity server, due to the vulnerability, incorrectly processes these requests as authenticated, creating the new user and token.</li>
<li>The attacker uses the newly created administrative token to authenticate to the TeamCity server's administrative interface.</li>
<li>The attacker gains full administrative access to the TeamCity server.</li>
<li>The attacker modifies build configurations, injects malicious code into build processes, or exfiltrates sensitive data such as source code and API keys.</li>
<li>The attacker compromises the software supply chain by deploying backdoored software builds through the compromised TeamCity instance.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2024-27198 allows attackers to gain complete control over JetBrains TeamCity servers. This can lead to the compromise of source code repositories, build artifacts, and deployment pipelines. Attackers can inject malicious code into software builds, leading to supply chain attacks affecting downstream users. Due to the sensitive nature of TeamCity deployments, a successful attack can lead to significant financial losses, reputational damage, and legal liabilities. The vulnerability poses a critical risk to organizations using affected TeamCity versions.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule <code>TeamCity Authentication Bypass Attempt</code> to your SIEM to detect exploitation attempts (log source: <code>webserver</code>).</li>
<li>Ensure your Suricata installation is properly configured to monitor HTTP traffic, as required by the provided Suricata rule (reference: Suricata data source).</li>
<li>Monitor HTTP POST requests to <code>/app/rest/users</code> and <code>/app/rest/users/id:1/tokens</code> endpoints for suspicious activity (reference: Suricata rule).</li>
<li>Apply the latest TeamCity patch to address CVE-2024-27198 (reference: JetBrains advisory).</li>
<li>Investigate and remediate any detected exploitation attempts by reviewing affected systems and logs.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>jetbrains</category><category>teamcity</category><category>authentication-bypass</category><category>cve-2024-27198</category></item></channel></rss>