Vulnerability DatabaseCVE-2024-27198

CVE-2024-27198:
JetBrains TeamCity vulnerability analysis and mitigation

Summary

CVE-2024-27198 is an authentication bypass vulnerability in TeamCity published on March 5, 2024. On March 7, 2024, CVE-2024-27198 was added to the CISA Known Exploited Vulnerabilities catalog based on evidence of active exploitation. In addition, researchers identified exploitation of CVE-2024-27198 by the BianLian threat group for the deployment of a PowerShell implementation of BianLian’s GO backdoor. It is recommended to look for indicators of compromise in your environment, and if any are identified, remove the files immediately and redeploy workloads from a known clean state.

March 11 update: On March 7, 2024, CVE-2024-27198 was added to the CISA Known Exploited Vulnerabilities catalog based on evidence of active exploitation. In addition, researchers identified exploitation of CVE-2024-27198 by the BianLian threat group for the deployment of a PowerShell implementation of BianLian’s GO backdoor. Indicators of compromise have been added below.

Technical details

CVE-2024-27198

By default, TeamCity exposes a web server via HTTP port 8111 (with the option to configure it for HTTPS). This vulnerability allows an attacker can craft a URL that can circumvent all authentication checks, gaining direct access to endpoints typically requiring authentication. This vulnerability enables a remote, unauthenticated attacker to seize full control of a susceptible TeamCity server.

CVE-2024-27199

This vulnerability permits a restricted level of information disclosure and system modification. This includes the capability for an unauthenticated attacker to substitute the HTTPS certificate on a vulnerable TeamCity server with a certificate of their choosing.

Indicators of compromise

Indicator	Type	Description
web.ps1	Filename	PowerShell Implementation of BianLian GO Backdoor
136[.]0[.]3[.]71	IP Address	BianLian C2 Infrastructure
88[.]169[.]109[.]111	IP Address	IP Address associated with malicious authentication to TeamCity
165[.]227[.]151[.]123	IP Address	IP Address associated with malicious authentication to TeamCity
77[.]75[.]230[.]164	IP Address	IP Address associated with malicious authentication to TeamCity
164[.]92[.]243[.]252	IP Address	IP Address associated with malicious authentication to TeamCity
64[.]176[.]229[.]97	IP Address	IP Address associated with malicious authentication to TeamCity
164[.]92[.]251[.]25	IP Address	IP Address associated with malicious authentication to TeamCity
126[.]126[.]112[.]143	IP Address	IP Address associated with malicious authentication to TeamCity
38[.]207[.]148[.]147	IP Address	IP Address associated with malicious authentication to TeamCity
101[.]53[.]136[.]60	IP Address	IP Address associated with malicious authentication to TeamCity
188[.]166[.]236[.]38	IP Address	IP Address associated with malicious authentication to TeamCity
185[.]174[.]137[.]26	IP Address	IP Address associated with malicious authentication to TeamCity
977ff17cd1fbaf0753d4d5aa892af7aa	MD5	Web.ps1
1af5616fa3b4d2a384000f83e450e4047f04cb57	SHA1	Web.ps1
7981cdb91b8bad8b0b894cfb71b090fc9773d830fe110bd4dd8f52549152b448	SHA256	Web.ps1
hxxp://136[.]0[.]3[.]71:8001/win64.exe	URL	BianLian C2 Infrastructure
hxxp://136[.]0[.]3[.]71:8001/64.dll	URL	BianLian C2 Infrastructure

Affected products

All versions of TeamCity On-Premises up to 2023.11.4 are affected by these vulnerabilities.

TeamCity Cloud instances were patched automatically.

Remediation and mitigation

It is recommended to patch TeamCity to the patched version, 2023.11.4, or above.

Workaround

For those unable to update to the patched version at this time, JetBrains provided a "security patch" plugin as an alternative. The security patch plugin can be installed on all TeamCity versions through 2023.11.3. Use the plugin for TeamCity 2018.2 and newer or TeamCity 2018.1 and older, depending on the version you're using.