JetBrains asserts that TeamCity servers have been compromised, while discussing their stance on disclosure policies.
In a recent development, a public dispute between software company JetBrains and security researchers at Rapid7 has arisen, starting on Feb. 20. The dispute centres around the disclosure of a critical vulnerability, CVE-2024-27198, in the on-premises version of JetBrains TeamCity.
JetBrains notified customers about the vulnerability on an unspecified date earlier this month, and released an updated version of TeamCity and a security patch on March 4. However, Rapid7, in an email on Monday, criticized JetBrains for releasing the patch without properly coordinating with the security firm.
The CVE-2024-27198 vulnerability is an authentication bypass in the web component of TeamCity, allowing attackers to bypass login controls and gain unauthorized access. As a result, this vulnerability is currently actively exploited in ransomware attacks. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-27198 to its Known Exploited Vulnerabilities (KEV) catalog, indicating a recognized and significant threat.
As of Sunday, Shadowserver reported about 700 instances of exploitation activity against CVE-2024-27198. By March 6, this number had risen to 1,182 possibly vulnerable instances. The exploitation activity is ongoing, according to multiple industry observers.
Threat actors are exploiting these vulnerabilities in the on-premises version of TeamCity. Researchers at GuidePoint reported that the threat group BianLian, known for its malicious activities, exploited CVE-2024-27198 and CVE-2023-42793 for initial access into a vulnerable TeamCity server.
While the precise threat groups exploiting this vulnerability have not been publicly disclosed, the exploitation is linked to ransomware actors generally. Security detection repositories like Splunk mention this vulnerability under tracked techniques (T1190 - Exploit Public-Facing Application), indicative of active exploitation scenarios in the wild.
In light of the active exploitation status, affected organizations should prioritize patching and mitigation promptly. CISA has urged organizations to review the JetBrains mitigation guidance and apply security upgrades. Rapid7, in its own report hours after the release of the JetBrains patch, stands by its disclosure policies.
[1] - CISA adds CVE-2024-27198 to Known Exploited Vulnerabilities catalog [2] - JetBrains releases patch for TeamCity vulnerability [3] - CVE-2024-27198: Authentication Bypass Vulnerability in TeamCity [4] - Splunk: T1190 - Exploit Public-Facing Application [5] - Rapid7 criticizes JetBrains for releasing TeamCity patch without coordination
- The CVE-2024-27198 vulnerability, an authentication bypass in TeamCity's web component, is currently being exploited in ransomware attacks.
- JetBrains has released a patch for the TeamCity vulnerability (CVE-2024-27198) on March 4, but Rapid7 criticized the company for not coordinating with them before releasing the patch.
- The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-27198 to its Known Exploited Vulnerabilities (KEV) catalog, indicating it as a significant and recognized threat in data-and-cloud-computing and cybersecurity.
