CVE-2023-42793 Vulnerability in TeamCity: October 18, 2023 Update
We subsequently investigated and fixed the issue and provided mitigation steps to our customers on September 21, 2023, in the form of a fixed version (2023.05.4) that customers could upgrade to or a security patch plugin that could be applied to earlier versions of TeamCity.
On October 17, 2023, the Microsoft Threat Intelligence Center team reached out to JetBrains to inform us they have observed multiple North Korean nation-state threat actors actively exploiting the CVE-2023-42793 vulnerability since early October 2023.
The Microsoft Threat Intelligence Center team has provided a full breakdown of their findings in this blog post.
These nation-state threat actors have been observed leveraging numerous malware and tools to create backdoors in compromised Windows-based TeamCity environments. Any backdoors are likely to persist and remain undetected after the TeamCity upgrade or security patch plugin are subsequently applied, leaving environments at risk of further exploitation.
- If you haven’t already done so, upgrade your TeamCity server to the patched version (2023.05.4) or apply the security patch plugin if you are using an earlier version of TeamCity. Full details are provided in this blog post.
- Review the Microsoft Threat Intelligence Center team’s Indicators of Compromise (IOCs) to help investigate whether your Windows-based TeamCity environment (the server and build agents) has been compromised. These indicators should not be considered exhaustive for this observed activity.
- If your server is publicly accessible over the internet and you are unable to update it or apply the security patch plugin immediately, we recommend temporarily making it inaccessible until the update or patch has been applied and you’ve investigated whether your TeamCity environment has been compromised.
- If you upgraded your TeamCity server to 2023.05.4 or applied the security patch plugin since early October 2023, there is a higher probability that your TeamCity environment was already exploited prior to the implementation of any mitigation steps (since the North Korean nation-state threat actors have been observed exploiting this vulnerability since early October 2023).
- Consider following the additional mitigation actions provided by the Microsoft Threat Intelligence Center team.
- Although the Microsoft Threat Intelligence Center team’s blog post specifically mentions compromised Windows-based TeamCity environments being actively exploited, this doesn’t rule out Linux-based TeamCity environments also being exploited in similar ways.
If you have any concerns or questions about the CVE-2023-42793 vulnerability, please contact the TeamCity Support team by submitting a ticket.
Subscribe to Blog updates
Thanks, we've got you!
Simple Fork-Join Framework With Matrix Builds
Matrix build in TeamCity executes the same set of steps on different combinations of input parameters, producing a matrix with the result of every execution, while using the Fork-Join pattern under the hood. Let’s see how this works.
TeamCity 2023.11: Matrix Build, Build Cache, and More
TeamCity 2023.11 is out! With this release, we’re introducing a number of highly anticipated features, including matrix builds, build caches, EC2 improvements, and more. Read on to learn more about the new features.
Meet us at AWS re:Invent 2023
TeamCity is taking part in AWS re:Invent this week! Stop by our booth to say hello and meet the team.