JetBrains issued a critical security alert on Tuesday for its TeamCity On-Premises software, warning of a vulnerability that could grant attackers administrative control over affected servers.
Tracked as CVE-2024-23917, the flaw carries a CVSS rating of 9.8. All versions from 2017.1 to 2023.11.2 are at risk.
“Authentication and authorization have been at the top of the OWASP Top Ten for over two decades. And it’s obvious that attackers are now focusing on exploiting these critical defenses and gaining administrative access,” commented Jeff Williams, co-founder and CTO at Contrast Security.
“In addition to Jetbrains, GoAnywhere MFT recently had a similar issue where they forgot to secure the initial account setup page, enabling unauthenticated attackers to gain administrative access.”
Read more on this vulnerability: Exploit Code Released For Critical Fortra GoAnywhere Bug
While TeamCity Cloud servers are patched, On-Premises users are urged to update to version 2023.11.3 immediately. A security patch plugin is available for older versions. The company emphasized prompt action to safeguard systems against potential exploitation.
“The security patch plugin will only address the vulnerability described above. We always recommend upgrading your server to the latest version to benefit from many other security updates,” reads the blog post.
While there is no evidence that the vulnerability has been abused in the wild, a similar flaw in the same product (CVE-2023-42793) came under active exploitation last year within days of public disclosure.
“TeamCity servers have long been targeted by malicious actors, so the first and most important step for organizations impacted is to patch immediately,” commented Brian Contos, CSO at Sevco Security. “Even when that step has been taken, there is a more insidious threat facing impacted companies.”
A recent study from Sevco showed that 15% of IT assets lack coverage from enterprise patch management solutions, while 31% of IT assets remained outside the purview of enterprise vulnerability management systems.
“It’s hard enough to defend the attack surface you know about, but it becomes impossible when there are vulnerable servers that don’t show up on your IT asset inventory,” Contos added.
“Once the patching is taken care of, security teams must turn their attention to a longer-term, more sustainable approach to vulnerability management. That begins with an accurate IT asset inventory.”