March 7, 2024 at 07:34AM
Hackers are exploiting a critical authentication bypass vulnerability (CVE-2024-27198) in TeamCity On-Premises. Hundreds of unpatched instances are being compromised, posing a risk of supply-chain attacks. Vulnerable hosts are mainly in Germany, the United States, and Russia. Rapid7 urges immediate update to fix the severe issue. (Word count: 50)
Key takeaways from the meeting notes are:
1. Hackers are exploiting the critical-severity authentication bypass vulnerability (CVE-2024-27198) in TeamCity On-Premises, with hundreds of new users being created on unpatched instances.
2. Over 1,700 TeamCity servers have yet to receive the fix for this vulnerability, and most of the vulnerable hosts indexed are in Germany, the United States, and Russia.
3. More than 1,440 instances have already been compromised, with users created on compromised instances typically following a specific pattern.
4. There has been a sharp increase in attempts to exploit CVE-2024-27198, with most attempts coming from systems in the United States on the DigitalOcean hosting infrastructure.
5. Compromising a TeamCity server could lead to supply-chain attacks as they may contain sensitive information such as credentials for environments where code is stored and deployed.
6. The vulnerability, with a critical severity score of 9.8 out of 10, affects all releases up to 2023.11.4 of the on-premise version of TeamCity and allows a remote, unauthenticated attacker to take control of a vulnerable server with administrative privileges.
7. JetBrains released TeamCity 2023.11.4 with a fix for CVE-2024-27198, urging all users to update their instances to the latest version due to the observed massive exploitation.
These takeaways highlight the urgency for administrators of on-premise TeamCity instances to take immediate action by updating to the newest release and implementing necessary security measures to protect against exploitation.