JetBrains TeamCity Authentication Bypass Vulnerabilities
Overview
The SonicWall Capture Labs threat research team became aware of a couple of noteworthy vulnerabilities — an authentication bypass vulnerability and a path traversal vulnerability — in JetBrains TeamCity, assessed their impact and developed mitigation measures for them. TeamCity, a build management and continuous integration server, published an advisory on these vulnerabilities which affect versions before 2023.11.4. Considering the sizeable user base as well as the low attack complexity, TeamCity users are strongly encouraged to upgrade their instances to the latest versions with utmost priority.
CVE Details
Authentication Bypass Vulnerability
The authentication bypass vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2024-27198.
The CVSS score is 9.8 based on the metrics (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Path Traversal Vulnerability
The path traversal vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2024-27199.
The CVSS score is 7.3 based on the metrics (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Technical Overview
CVE-2024-27198
This vulnerability allows threat actors to circumvent the authentication mechanism by sending a crafted request to the web server. The flaw is in the functionality of the jetbrains.buildServer.controllers.BaseController class of the web-openapi.jar library. As seen in the code shared by rapid7 in Figure 1, if a request is served by the handleRequestInternal method in the BaseController class and not redirected by issuing 302 status code, then it will lead to execution of the updateViewIfRequestHasJspParameter method.
Figure 1: handleRequestInternal method of BaseController class, source: rapid7
Another piece of code, as seen in Figure 2, defining the method updateViewIfRequestHasJspParameter reveals that the unauthenticated attacker needs to make sure that the modelAndView has a name and does not terminate with .jsp. Requesting a non-existent URI that generates a 404 response and renders a /404.html page would result in the variable isControllerRequestWithViewName becoming true and the method getJspFromRequest will be called.
Figure 2: updateViewIfRequestHasJspParameter method, source: rapid7
The method getJspFromRequest is the one that captured the imagination of the attackers as it allows them to render an arbitrary endpoint by specifying the value in a parameter named jsp, as seen in Figure 3. Although it does not only require the endpoints to terminate with .jsp but also makes sure that it does not contain the confined path /admin/, the parameters can be tricked to access the arbitrary endpoints by an unauthenticated threat actor which normally requires authentication.
Figure 3: getJspFromRequest method, source: rapid7
CVE-2024-27199
This vulnerability allows the threat actors to gain unauthenticated access to a limited number of authenticated endpoints due to a path traversal issue present in some of the endpoints such as /res/, /update/ and /.well-known/acme-challenge/. The attacker can make use of those paths along with path traversal vectors to reach other restricted endpoints by circumventing the authentication checks.
Triggering the Vulnerability
CVE-2024-27198
Leveraging this authentication bypass vulnerability requires the attacker to meet the following requisites:
- Render a 404 response by requesting a non-existing path, for instance, /sw
- Set a value of jsp query parameter in the request to the desired path which requires authentication, for example, ?jsp=/app/rest/server
- Make sure the crafted URI terminates with .jsp. The path can be ended by appending an HTTP path parameter or a query string segment such as ;.jsp or ?.jsp
The example request would look like, http[:]//sw-test[.]local:8111/sw?jsp=/app/rest/server?.jsp
Accessing the authenticated endpoint /app/rest/server by exploiting this vulnerability is demonstrated in the video below.
CVE-2024-27199
Triggering this path traversal vulnerability requires the threat actor to send a crafted request utilizing the endpoints discussed in the overview section to reach number of pages that may expose sensitive information and/or let the attacker alter system configurations. For instance, the video illustrating the unauthenticated access to some of the endpoints /app/https/settings/certificateInfo and /admin/diagnostic.jsp is shown below.
Exploitation
CVE-2024-27198
Exploitation of this vulnerability yields the attacker a commanding position over a TeamCity server by adding a new admin user, as seen in the video below, and complete control over builds and projects hosted on the server which can open the door for them to execute a sophisticated supply chain attack.
CVE-2024-27199
Exploitation of this vulnerability yields the attacker sensitive information as well as the ability to modify some of the server configurations such as uploading a custom HTTPS certificate and specifying the listening port for the HTTPS service using a self-signed certificate.
This flaw can be exploited by nefarious attackers to execute either a denial-of-service (DoS) attack by modifying the HTTPS listening port or a man-in-the-middle (MITM) attack, since the attacker owns the private key of the modified certificate.
SonicWall Protections
To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:
CVE-2024-27198
- IPS: 15969 and 15970
CVE-2024-27198
- IPS: 15966, 15967 and 15968
Remediation Recommendations
Considering the severe consequences of this vulnerability as well as the reports of mass-generation of admin accounts using the exploit, users are strongly encouraged to upgrade their instances as published in the vendor advisory.
Relevant Links
