Critical JetBrains TeamCity vulnerability could be exploited to launch supply chain attacks (CVE-2023-42793)

Software development firm JetBrains has fixed a critical vulnerability (CVE-2023-42793) in its TeamCity continuous integration and continuous delivery (CI/CD) solution, which may allow authenticated attackers to achieve remote code execution and gain control of the server.

CVE-2023-42793

“As of September 25, 2023, Rapid7 is not aware of in-the-wild exploitation of CVE-2023-42793, and no public exploit code is available,” shared Caitlin Condon, head of vulnerability research at Rapid7.

About CVE-2023-42793

CVE-2023-42793 is an authentication bypass vulnerability that affects versions 2023.05.3 and below of TeamCity On-Premises.

According to Stefan Schiller, a security researcher with Sonar who reported the flaw, attackers don’t have to rely on user interaction to trigger it.

“[The vulnerability] enables attackers not only to steal source code but also stored service secrets and private keys. And it’s even worse: With access to the build process, attackers can inject malicious code, compromising the integrity of software releases and impacting all downstream users,” Shiller added.

Upgrade, patch or block Internet access to the server

CVE-2023-42793 has been fixed in version 2023.05.4 of TeamCity On-Premises.

Customers who are unable to upgrade to it can implement a patch, but should know the patch fixes only that flaw. Users running TeamCity 2018.2 and later won’t have to restart the server to enable the plugin once installed, but those running versions 8.0 to 2018.1 must perform a server restart.

“While we won’t be disclosing technical details at this time, we want to emphasize the importance of prompt action to mitigate this risk. Because this vulnerability does not require a valid account on the target instance and is trivial to exploit, it is likely that this vulnerability will be exploited in the wild,” Schiller commented, and noted that Shodan currently shows over 3,000 on-premises TeamCity servers accessible from the Internet.

In case upgrading or installing the patch can’t be done immediately, users should mitigate the risk of exploitation by making their server temporarily inaccessible.

UPDATE (September 28, 2023, 05:40 a.m. ET):

Rapid7 has published a technical analysis of the vulnerability and has shared possible indicators of compromise.

UPDATE (September 29, 2023, 08:55 a.m. ET):

Greynoise is tracking many IP addresses from which CVE-2023-42793 exploit attempts of are being made.

Don't miss