Vulnerability
Discover and address the critical JetBrains TeamCity vulnerability (CVE-2023-427...
CVE-2023-42793, a critical vulnerability resulting in ripples, specifically targets TeamCity, JetBrains' popular CI/CD server. Its implications are significant, granting unauthenticated attackers the ability to execute arbitrary code on TeamCity servers, thereby facilitating remote code execution (RCE).
Here, in this [Threatfeed](https://www.secureblink.com/cyber-security-news) we delve into the details of CVE-2023-42793, assess its consequences, and discuss the measures required to safeguard your systems.
## Key Information
### Sonar's Discovery
The discovery of CVE-2023-42793 can be credited to Sonar's Vulnerability Research Team. They discovered a vulnerability that enables unauthenticated attackers to gain remote code execution privileges on TeamCity servers. This vulnerability poses an imminent threat, as it allows attackers to steal source code, access sensitive service secrets and private keys, manipulate the build process, and compromise the integrity of software releases. This vulnerability is not dependent on user interaction, making it an enticing target for malicious actors. Meanwhile, Greynoise is currently tracking many IP addresses from which CVE-2023-42793 exploit attempts are being made.
### Vulnerability Details
The root cause of this vulnerability lies in an authentication bypass. Specifically, TeamCity versions 2023.05.3 and earlier of the on-premises variant are susceptible. Attackers can exploit this flaw without requiring a valid account on the target instance, rendering it easily exploitable. As a result, we are compelled to emphasize the urgency of prompt action to mitigate this risk.
## Impact
### The Gravity of RCE
[CVE-2023-42793](https://nvd.nist.gov/vuln/detail/CVE-2023-42793) strikes at the heart of cybersecurity concerns. With RCE capabilities, attackers can not only pilfer source code but also gain access to highly confidential service secrets and private keys. Moreover, the ability to interfere with the build process by injecting malicious code jeopardizes the integrity of software releases. The most concerning aspect is that this vulnerability requires no user interaction, making it an attractive option for cybercriminals.
### Urgency of Action
To underscore the urgency of the situation, it's crucial to note that this vulnerability does not necessitate a valid account on the targeted instance. Its trivial exploitability raises concerns about its potential exploitation in the wild. Shodan currently identifies over 3,000 on-premises TeamCity servers accessible from the Internet.
## Indicators of Compromise
### Unveiling Malicious Activity
One crucial indicator of compromise is the existence of an authentication token named RPC2. This token's presence strongly suggests unauthorized and potentially malicious user activity on the server. It's essential to recognize that an attacker may attempt to cover their tracks by deleting or renaming this token post-exploitation.
## Technical Details
### Request Interceptors
TeamCity employs request interceptors to execute specific actions for every HTTP request. A critical role of these interceptors is the authorization mechanism. These interceptors are part of the global request handling process and are often overlooked during security assessments. In the context of this vulnerability, a wildcard expression, "**/RPC2," was unintentionally included, disabling the authorization check for requests ending with "/RPC2."
### Request Path Parameters
TeamCity offers a REST API for external application integration. While the documentation outlines endpoints, some hidden endpoints, like "/app/rest/users/<userLocator>/tokens/{name}," can be exploited. This specific endpoint allows an unauthenticated attacker to create a new authentication token with an arbitrary name, including "RPC2."
## Patch
### The Path to Security
JetBrains swiftly addressed this vulnerability with the release of TeamCity version 2023.05.4. The patch removes the wildcard expression for the "/RPC2" pre-handling exception, ensuring that pre-handling is only disabled when "/RPC2" is accessed directly without additional prefixes in the requested path. This measure effectively prevents authentication bypass for other endpoints.
## Timeline
### Collaborative Efforts
JetBrains and the Sonar Vulnerability Research Team maintained open communication throughout the discovery and remediation process. JetBrains' rapid response and efficient collaboration ensured a swift resolution to this critical security issue.
- **September 6, 2023**: The vulnerability is reported to JetBrains.
- **September 6, 2023**: JetBrains acknowledges receipt of the report.
- **September 7, 2023**: JetBrains fixes the issue in the 2023.05 branch.
- **September 12, 2023**: JetBrains prepares a plugin as a workaround.
- **September 14, 2023**: JetBrains confirms the issue as a major security concern.
- **September 18, 2023**: TeamCity version 2023.05.4 is released, addressing the vulnerability.
- **September 18, 2023**: JetBrains notifies customers to update promptly.
- **September 19, 2023**: CVE-2023-42793 is published.
- **September 21, 2023**: Coordinated release of blog posts from JetBrains and Sonar.
- **September 27, 2023**: Full disclosure follows the public release of an exploit.
## Learnings
### The Importance of Authorization
This incident underscores the significance of authorization checks. While endpoints often receive individual checks, global request interceptors are frequently overlooked. These interceptors, part of the global attack surface, must not be neglected in security assessments.
### Taming Wildcards
Wildcard expressions, while versatile, can inadvertently expose vulnerabilities. A more restrictive approach is advisable to prevent unintended vulnerabilities like the inclusion of "/**/RPC2."
