Background
On September 6, 2023, a critical TeamCity On-Premises vulnerability issue (CVE identifier CVE-2023-42793) was discovered by the Sonar team. TeamCity Cloud was not affected by this.
We subsequently investigated and fixed the issue, providing mitigation steps to our customers on September 18, 2023. Customers could either upgrade to a new version which contained the fix (2023.05.4), or apply a security patch plugin in case they could not upgrade to a new version.
Please see our previous public statements on the issue:
Critical Security Issue Affecting TeamCity On-Premises – Update to 2023.05.4 Now
CVE-2023-42793 Vulnerability in TeamCity: October 9, 2023 Update
CVE-2023-42793 Vulnerability in TeamCity: October 18, 2023 Update
Update
On December 13, 2023 the Cybersecurity & Infrastructure Security Agency of the U.S. Department of Homeland Security (CISA) released a public advisory, in which they shared new ways in which this vulnerability (CVE-2023-42793) has been exploited by Russian nation-state threat actors as of September 2023.
Please see this article by the Cybersecurity & Infrastructure Security Agency with a full breakdown of their findings including the technical details on the attack surface, techniques, indicators of compromise, and mitigation recommendations.
Recommendations
Our recommendations remain the same as before:
- If you haven’t already done so, please upgrade your TeamCity server to the fixed version (2023.05.4 or the latest 2023.11) or apply the security patch plugin if you are using an earlier version of TeamCity. Full details are provided in this blog post.
- If your server is publicly accessible over the internet and you are unable to update it or apply the security patch plugin immediately, we recommend temporarily making it inaccessible until the update or patch has been applied and you’ve investigated whether your TeamCity environment has been compromised.
- Independently of upgrading or applying the patch plugin, it is important to see if your TeamCity instance has been exploited. In order to do this, we recommend you
- Review the Indicators of Compromise (IOCs) and Detection Methods released by CISA. While these indicators should not be considered exhaustive for this observed activity, it does provide some insight.
- Review the Microsoft Threat Intelligence Center team’s Indicators of Compromise (IOCs) to help investigate whether your Windows-based TeamCity environment (the server and build agents) has been compromised. These indicators should not be considered exhaustive for this observed activity.
While there is little probability of your instance having been exploited if you immediately upgraded or applied the patch when it was made available, given that the first recorded attacks took place in September 2023, we recommend you follow the above process to review your specific case.
Support
If you have any concerns or questions about the CVE-2023-42793 vulnerability, please contact the TeamCity Support team by submitting a ticket.