Recently, multiple vulnerabilities were discovered in JetBrains' TeamCity On-Premises software, which allowed remote attackers to bypass authentication checks and take over an affected server for malicious activities within an organization's environment. The industry-wide impact was significant, as TeamCity is a software development life cycle (SDLC) management platform used by more than 30,000 organizations to automate the building, testing and deployment of software, thus containing a treasure trove of useful data for attackers.
The vulnerabilities — tracked as CVE-2024-23917 (CVSS score: 9.8), CVE-2024-27198 (CVSS score: 9.8), and CVE-2024-27199 (CVSS score: 7.3) — were rated “critical” or “high,” highlighting the need for robust security measures in CI/CD environments and advanced monitoring and risk prioritization within internal infrastructures. These environments are integral to the software development lifecycle and, by extension, the entire software supply chain.
This is not the first time JetBrains has discovered a security flaw with the potential to make a global impact throughout the software supply chain. In September 2023, a separate critical TeamCity On-Premises vulnerability issue was discovered. Although a patch was quickly issued, Microsoft researchers observed nation-state threat actors leveraging numerous types of malware and tools to create backdoors in compromised Windows-based TeamCity environments.
Similarly, with the recently identified CVE, JetBrains quickly patched the security vulnerability in its TeamCity On-Premises software, but its significance should not be glossed over. Despite the quick fix and the company claiming that there was no evidence that they had been attacked, there are lessons to be learned from this incident.
The software supply chain remains fragile due to expanded attack surfaces
According to Gartner, SDLC attacks have affected 61% of U.S. businesses from April 2022 to April 2023, demonstrating the critical need to better secure attack surfaces. The JetBrains instance reminds us that the ability of an unauthenticated attacker to bypass authentication checks and gain administrative control poses a significant risk not only to the immediate environment but also to the integrity and security of the software being developed and deployed through such compromised CI/CD pipelines.
These threats are especially critical because they have cascading effects from a single point of compromise that can impact the attack surface, which may consist of dozens or hundreds of its partners in third-, fourth-, and fifth-party incidents throughout the software supply chain.
It highlights the need for a holistic security approach in vulnerability management that considers the direct security of development tools like TeamCity and also the broader implications for the software being built and distributed through these tools.
Robust vulnerability management strategies are crucial
The importance of prompt and effective vulnerability management cannot be overstated. Immediate mitigation actions, including updating to the latest version or applying a security patch, are a critical first step in securing the affected systems.
Additionally, effective prioritization within your environment is important. Especially when vulnerabilities have a high CVSS rating, organizations need to be able to understand the attack vectors that would allow for exploitation so they can effectively prioritize which workloads to remediate first. Proper visibility and insight into runtime context can help companies determine whether something is just a severe vulnerability or a severe and exploitable vulnerability that needs to be addressed on a much quicker timescale.
Proactive detection and response strategies that can identify potential exploitation attempts or anomalies indicative of a compromise as it happens are key for catching threats that might occur before patching can be operationalized. Scanning for vulnerabilities in real time is the only way to enable maximum visibility, as intermittent scanning only captures point-in-time snapshots, putting cloud environments at a higher risk, especially for emerging threats.
Adopting immutable infrastructure principles and automating the deployment of security patches can significantly reduce the window of exposure to such vulnerabilities. By treating servers as disposable entities that can be replaced with new, patched versions quickly, organizations can enhance their resilience against attacks.
For companies leveraging CI/CD tools like TeamCity, a thorough risk assessment is vital. This involves not only understanding the vulnerabilities themselves but also evaluating the potential impact on the supply chain and the broader ecosystem. eBPF-enabled visibility solutions can play a significant role in identifying anomalous behaviors that might indicate an exploitation attempt or a system compromise.
These innovative capabilities can detect and respond to such vulnerabilities, especially when traditional perimeter-based defenses might fail to identify or mitigate sophisticated attack vectors that exploit critical flaws. It is also important to note that ‘agentless’ methods of detection are ineffective against a vulnerability like this, which affects on-premise software. The ability to detect application traffic to and from these hybrid workloads is of critical importance given the ever-expanding complexity of today’s hybrid cloud environments.
Companies must remain vigilant in vulnerability management
The discovery of multiple vulnerabilities within a short span underscores a growing trend in the cybersecurity landscape: the relentless targeting of development and deployment tools by adversaries. These tools, due to their central role in the software development life cycle, present lucrative targets for attackers aiming to infiltrate or disrupt the software supply chain.
The JetBrains TeamCity software vulnerability should serve as a potent reminder that vulnerabilities exist within critical components of the software development and deployment pipeline, and they have the potential to wreak havoc on organizations. Given the expanded attack surface, it also underscores the need for comprehensive security strategies that include advanced monitoring, risk prioritization, and real-time, rapid response capabilities to cover the vast territory. Staying vigilant when it comes to vulnerability management is paramount for organizations to better safeguard data, stakeholders, and the fragile software supply chain against attacks.
Ryan Smith is Head of Product at Deepfence. He's a product evangelist with a demonstrated history of success in the computer software space.
