top of page

Critical CVE-2023-42793: Authentication Bypass in JetBrains TeamCity Exploited by APT Groups

3 min read
CVE Image for report on CVE-2023-42793

Executive Summary

CVE-2023-42793 is a critical authentication bypass vulnerability in JetBrains TeamCity, a widely used continuous integration and continuous delivery (CI/CD) server. This vulnerability allows unauthenticated attackers to gain remote code execution (RCE) capabilities on the affected TeamCity servers. With a CVSS score of 9.8, this vulnerability is of utmost concern due to its potential to cause significant damage. Notably, multiple North Korean threat actors, including Diamond Sleet and Onyx Sleet, as well as the Russian Foreign Intelligence Service (SVR), also known as CozyBear, have been observed exploiting this vulnerability. These groups have primarily targeted software developers and CI/CD environments, posing a severe risk to the integrity and security of software development pipelines.

Technical Information

CVE-2023-42793 is an authentication bypass vulnerability in JetBrains TeamCity versions prior to 2023.05.4. The vulnerability allows an unauthenticated attacker with HTTP(S) access to a TeamCity server to perform remote code execution. The vulnerability is classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and has a CVSS score of 9.8, indicating its critical severity. The attack vector is network-based, with low attack complexity, no privileges required, and no user interaction needed. The impact on confidentiality, integrity, and availability is high.

The vulnerability arises from improper handling of authentication tokens, allowing attackers to bypass authentication mechanisms and gain administrative access to the TeamCity server. Once authenticated, attackers can execute arbitrary code, create new administrative users, and gain full control over the CI/CD environment. This can lead to the compromise of the entire software development pipeline, including the injection of malicious code into software builds, exfiltration of sensitive data, and disruption of development operations.

A proof of concept (PoC) for this vulnerability is available on GitHub, demonstrating how an attacker can exploit the vulnerability to create a new user with administrative privileges on the TeamCity server. The PoC uses a Python script to send crafted HTTP requests to the vulnerable server, bypassing authentication and gaining administrative access.

For more technical details, you can refer to the following resources: - Microsoft Security Blog - Picus Security Blog - Rapid7 Blog - GitHub PoC

Exploitation in the Wild

Multiple North Korean threat actors, including Diamond Sleet and Onyx Sleet, have been observed exploiting this vulnerability. Additionally, the Russian Foreign Intelligence Service (SVR), also known as CozyBear, has been reported to target software developers using this vulnerability. These groups exploit the authentication bypass to create new administrative users or execute arbitrary code on the TeamCity server, leading to full control over the CI/CD environment. Indicators of Compromise (IoCs) include the creation of new administrative users and unusual outbound traffic from the TeamCity server, which may indicate data exfiltration or command and control communication.

APT Groups using this vulnerability

The primary APT groups exploiting CVE-2023-42793 are Diamond Sleet and Onyx Sleet from North Korea, and the Russian Foreign Intelligence Service (SVR), also known as CozyBear. These groups have targeted software developers and CI/CD environments, aiming to compromise the integrity and security of software development pipelines. Their activities have been observed in various sectors, including technology, finance, and government, across multiple countries.

Affected Product Versions

The affected product versions are JetBrains TeamCity versions prior to 2023.05.4. It is crucial for organizations using these versions to update to the latest version to mitigate the risk of exploitation.

Workaround and Mitigation

To mitigate the risk of exploitation, it is strongly recommended to update to the latest version of JetBrains TeamCity (2023.05.4 or later). The vendor has released a patch to address this vulnerability, and it is essential to apply this update as soon as possible. Additionally, organizations should implement network segmentation to ensure that CI/CD servers are segmented from the rest of the network, limiting the impact of a potential breach. Strict access controls and monitoring for CI/CD environments should also be implemented to detect and prevent unauthorized access.

For more information on the vendor's recommendations, you can refer to the following resources: - JetBrains TeamCity Blog

References

Rescana is here for you

At Rescana, we understand the critical importance of securing your CI/CD environments. Our Continuous Threat and Exposure Management (CTEM) platform helps you identify, assess, and mitigate vulnerabilities like CVE-2023-42793, ensuring the security and integrity of your software development pipelines. We are committed to providing you with the tools and expertise needed to protect your organization from emerging threats. If you have any questions about this report or any other issue, please do not hesitate to contact us at ops@rescana.com.

9 views0 comments

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
bottom of page