Background
On September 6, 2023, a critical TeamCity On-Premises vulnerability issue (CVE identifier CVE-2023-42793) was discovered by the Sonar team. TeamCity Cloud was not affected.
We subsequently investigated and fixed the issue and provided mitigation steps to our customers on September 21, 2023, in the form of a fixed version (2023.05.4) that customers could upgrade to or a security patch plugin that could be applied to earlier versions of TeamCity.
Update
On October 17, 2023, the Microsoft Threat Intelligence Center team reached out to JetBrains to inform us they have observed multiple North Korean nation-state threat actors actively exploiting the CVE-2023-42793 vulnerability since early October 2023.
The Microsoft Threat Intelligence Center team has provided a full breakdown of their findings in this blog post.
These nation-state threat actors have been observed leveraging numerous malware and tools to create backdoors in compromised Windows-based TeamCity environments. Any backdoors are likely to persist and remain undetected after the TeamCity upgrade or security patch plugin are subsequently applied, leaving environments at risk of further exploitation.
Recommendations
- If you haven’t already done so, upgrade your TeamCity server to the patched version (2023.05.4) or apply the security patch plugin if you are using an earlier version of TeamCity. Full details are provided in this blog post.
- Review the Microsoft Threat Intelligence Center team’s Indicators of Compromise (IOCs) to help investigate whether your Windows-based TeamCity environment (the server and build agents) has been compromised. These indicators should not be considered exhaustive for this observed activity.
- If your server is publicly accessible over the internet and you are unable to update it or apply the security patch plugin immediately, we recommend temporarily making it inaccessible until the update or patch has been applied and you’ve investigated whether your TeamCity environment has been compromised.
- If you upgraded your TeamCity server to 2023.05.4 or applied the security patch plugin since early October 2023, there is a higher probability that your TeamCity environment was already exploited prior to the implementation of any mitigation steps (since the North Korean nation-state threat actors have been observed exploiting this vulnerability since early October 2023).
- Consider following the additional mitigation actions provided by the Microsoft Threat Intelligence Center team.
- Although the Microsoft Threat Intelligence Center team’s blog post specifically mentions compromised Windows-based TeamCity environments being actively exploited, this doesn’t rule out Linux-based TeamCity environments also being exploited in similar ways.
Support
If you have any concerns or questions about the CVE-2023-42793 vulnerability, please contact the TeamCity Support team by submitting a ticket.