JetBrains' TeamCity security vulnerability exploited weeks following patch release
A critical authentication bypass vulnerability, known as CVE-2023-42793, has been discovered in JetBrains TeamCity, a popular Continuous Integration/Continuous Deployment (CI/CD) tool. This vulnerability allows for remote code execution (RCE) and has been actively exploited by threat actors, including those linked to North Korea.
Microsoft recently revealed that the threat actors Diamond Sleet and Onyx Sleet have been exploiting this vulnerability to compromise CI/CD servers. By doing so, they can gain unauthorized access and execute malicious code, potentially infiltrating supply chains or deployment pipelines.
The vulnerability was disclosed by JetBrains shortly after its discovery in September 2023. Since then, patched versions have been released, and it is strongly advised for users to update their TeamCity deployments to the latest versions (e.g., 2023.05.4 or later) to mitigate this critical risk.
Despite these mitigation efforts, ongoing exploitation attempts are a concern. The severity of the vulnerability and the attractiveness of CI/CD servers for attackers mean that continued vigilance, patching, and monitoring are essential.
It's important to note that TeamCity Cloud, the SaaS version of the application, was not impacted by the vulnerability. However, the on-premises version is at risk, and customers should upgrade to the patched version of the TeamCity server or apply the security plugin.
Microsoft researchers have warned about these state-sponsored intrusions, which leverage zero-day and known vulnerabilities in high-impact software. The attacks by Diamond Sleet and Onyx Sleet are part of a broader pattern.
Corporate stakeholders are increasingly seeking to understand the risk calculus of their technology stacks, asking the question: Are we a target? This trendline continues, as organizations strive to protect their systems and data from such threats.
In addition to the RCE vulnerability, Diamond Sleet is also known for deploying malicious payloads for use in dynamic-link library search order hijacking attacks.
Daniel Gallo, TeamCity solutions engineer, has stated that a small number of on-premises customers have expressed concerns about potential compromises due to the CVE-2023-42793 vulnerability. However, JetBrains is not aware if its customers have been compromised in the manner Microsoft described.
If a server is publicly accessible over the internet and customers can't immediately upgrade, they should temporarily disconnect it as a precautionary measure. The Cybersecurity and Infrastructure Security Agency has added the authentication bypass vulnerability to its Known Exploited Vulnerabilities catalog, underscoring its severity.
While Microsoft primarily warned about Windows-based environment compromises, Linux-based environments may also be under threat. It is crucial for all users to remain vigilant and up-to-date on patches and threat intelligence to ensure their systems are protected.
- The malware deployment by Diamond Sleet, involving dynamic-link library search order hijacking, poses a security threat to the general-news and crime-and-justice sectors, as it targets high-impact software vulnerabilities like CVE-2023-42793 in tools like TeamCity.
- Cybersecurity professionals are emphasizing the importance of instant upgrades to patched versions of TeamCity to cope with the critical authentication bypass vulnerability (CVE-2023-42793), especially for on-premises deployments, due to its susceptibility to remote code execution attacks.
- In the realm of technology, vigilance, patching, and monitoring remain crucial in the face of ongoing exploitation attempts against the CVE-2023-42793 vulnerability, particularly for Linux-based environments, where state-sponsored intrusions, such as those linked to North Korea, actively exploit known vulnerabilities.
