Threat Research

JetBrains TeamCity Authentication Bypass Vulnerabilities | SonicWall

CTI

Two vulnerabilities in JetBrains TeamCity (CVE-2024-27198 and CVE-2024-27199) let unauthenticated attackers bypass authentication and perform path traversal to reach and manipulate restricted endpoints, affecting versions before 2023.11.4. SonicWall released IPS signatures and TeamCity advises immediate upgrades to mitigate full-server compromise and configuration tampering. #TeamCity #CVE-2024-27198

Keypoints

  • Two vulnerabilities identified: CVE-2024-27198 (authentication bypass, CVSS 9.8) and CVE-2024-27199 (path traversal, CVSS 7.3).
  • CVE-2024-27198 stems from web-openapi.jar’s BaseController.handleRequestInternal and updateViewIfRequestHasJspParameter allowing arbitrary jsp parameter rendering.
  • Trigger for CVE-2024-27198: cause a 404 response, supply a jsp query parameter pointing to an authenticated endpoint, and craft the URI to terminate with “.jsp” (e.g., using ;.jsp or ?.jsp).
  • CVE-2024-27199 uses path traversal vectors via endpoints like /res/, /update/ and /.well-known/acme-challenge/ to reach restricted pages and modify configurations.
  • Successful exploitation can add an admin user, control builds/projects, upload HTTPS certificates, change HTTPS port—enabling DoS or MITM scenarios.
  • SonicWall published IPS signatures (IDs 15966–15970) to detect exploitation attempts; vendor upgrade to fixed TeamCity versions is strongly recommended.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Exploits vulnerabilities in a public-facing server to bypass authentication and reach restricted endpoints. ‘unauthenticated attackers bypass authentication and perform path traversal to reach and manipulate restricted endpoints’
  • [T1136] Create Account – Attacker can create an admin user to gain privileged access. ‘Successful exploitation can add an admin user’
  • [T1068] Exploitation for Privilege Escalation – Privilege escalation by creating an admin user and altering critical settings. ‘add an admin user, control builds/projects, upload HTTPS certificates, change HTTPS port—enabling DoS or MITM scenarios’
  • [T1565] Data Manipulation – Attacker can modify configurations and settings via path traversal. ‘path traversal vectors via endpoints like /res/, /update/ and /.well-known/acme-challenge/ to reach restricted pages and modify configurations’
  • [T1499] Endpoint Denial of Service – Modifying ports or configs to enable DoS. ‘enabling DoS or MITM scenarios’

Indicators of Compromise

  • [Endpoint/URI] targeted authenticated endpoints and example paths – /app/rest/server, /app/https/settings/certificateInfo, /admin/diagnostic.jsp
  • [IPS Signature] SonicWall detection IDs – 15969, 15970, and 3 more (15966, 15967, 15968)
  • [Hostname] example test host used in PoC request – sw-test.local:8111 (example request: http[:]//sw-test[.]local:8111/sw?jsp=/app/rest/server?.jsp)
  • [Source Domain] vendor advisory/source – https://blog.sonicwall.com/en-us/2024/03/jetbrains-teamcity-authentication-bypass-vulnerabilities/

Read more: https://blog.sonicwall.com/en-us/2024/03/jetbrains-teamcity-authentication-bypass-vulnerabilities/