Critical TeamCity Bugs Endanger Software Supply Chain

Cloud versions of the JetBrains TeamCity software development platform manager have already been updated against a new pair of critical vulnerabilities, but on-premises deployments need immediate patching, a security advisory from the vendor warned this week.

This is the second round of critical TeamCity vulnerabilities in the past two months. The ramifications could be wide: The company's software development lifecycle (SDLC) platform is used across 30,000 organizations, including Citibank, Nike, and Ferrari.

The TeamCity tool manages the software development CI/CD pipeline, which is the process by which code is built, tested, and deployed. The new vulnerabilities, tracked under CVE-2024-27198 and CVE-2024-27199, could allow threat actors to bypass authentication and gain admin control of the victim's TeamCity server, according to a blog post from TeamCity.

The flaws were found and reported by Rapid7 in February, the company added. The Rapid7 team is poised to release full technical details imminently, making it imperative for teams running TeamCity on-premises versions through 2023.11.3 to get their systems patched before threat actors catch onto the opportunity, the company advised.

In addition to releasing an updated TeamCity version, 2023-11.4, the vendor offered a security patch plugin for teams unable to upgrade quickly.

The CI/CD environment is fundamental to the software supply chain, making it an attractive attack vector for sophisticated advanced persistent threat (APT) groups.

JetBrains TeamCity Bug Endangers Software Supply Chain

In late 2023, governments worldwide raised the alarm that the Russian state-backed group APT29 (aka Nobelium, Midnight Blizzard, and Cozy Bear — the threat actor behind the 2020 SolarWinds attack) was actively exploiting a similar vulnerability in JetBrains TeamCity that could likewise allow software supply chain cyberattacks.

"The ability of an unauthenticated attacker to bypass authentication checks and gain administrative control poses a significant risk not only to the immediate environment but also to the integrity and security of the software being developed and deployed through such compromised CI/CD pipelines," Ryan Smith, head of product for Deepfence, said in a statement.

Smith added the data shows a "notable uptick" in both the volume and the complexity of software supply chain cyberattacks in general.

"The recent JetBrains incident serves as a stark reminder of the criticality of prompt vulnerability management and proactive threat detection strategies," Smith said. "By fostering a culture of agility and resilience, organizations can enhance their ability to thwart emerging threats and safeguard their digital assets effectively."