CVE-2023-42793 Detection: An Authentication Bypass Vulnerability Leading to RCE on JetBrains TeamCity Server

Hot on the heels of the adversary campaigns abusing the CVE-2023-29357 vulnerability in Microsoft SharePoint Server causing a pre-auth RCE chain, another security flaw that can enable attackers to perform RCE causes a stir in the cyber threatscape. A critical vulnerability in the JetBrains TeamCity CI/CD server tracked as CVE-2023-42793 allows adversaries to gain RCE on the compromised instances, steal source code, and potentially lead to further supply chain attacks.

Detect CVE-2023-42793 Exploitation

The ever-growing threat landscape, with the constantly increasing number of vulnerabilities affecting popular business applications, requires a proactive threat detection strategy to stop security breaches on time. SOC Prime Platform offers a number of reliable cybersecurity tools to advance the efficiency of your SOC operations. 

Dive into the world’s fastest feed on the latest TTPs used by adversaries to always stay on top of emerging threats. To detect possible CVE-2023-42793 exploitation attempts, SOC Prime offers a curated Sigma rule by our keen Threat Bounty developer Aykut Gürses. The detection is mapped to the MITRE ATT&CK® framework and accompanied by extensive metadata to streamline the investigation.

Possible CVE-2023-42793 (Authentication Bypass Leading to RCE on JetBrains TeamCity Server) Exploitation Attempt (via proxy)

The rule is compatible with 18 SIEM, EDR, XDR, and Data Lake technologies, addressing Persistence tactics with Server Software Component (T1505) as the main technique.

To dive into the entire collection of detection rules for emerging and critical vulnerabilities, hit the Explore Detections button below. All the rules are accompanied by extensive cyber threat context and CTI to boost threat investigation.

Explore Detections

Aspiring Detection Engineers can sharpen their Sigma and ATT&CK skills by joining the crowdsourced Threat Bouny Program. Train your detection coding skills to advance in an engineering career while enriching collective industry expertise and earning financial rewards for your input.

CVE-2023-42793 Description

TeamCity is a popular CI/CD server from JetBrains aimed to streamline DevOps processes leveraged by over 30,000 users. With CVE-2023-42793, a critical JetBrains TeamCity vulnerability arriving in the cyber threat arena, organizations and individual users that rely on this software in their daily operations are exposed to potential threats. CVE-2023-42793 was discovered by the Sonar vulnerability researcher, Stefan Schiller, who provided an in-depth analysis of this critical flaw highlighting the risks of source code disclosure upon its successful exploitation. The uncovered authentication bypass vulnerability with the high CVSS score reaching 9.8 allows unauthorized attackers to execute arbitrary code on the affected TeamCity instances from version 2023.05.3 and below. As a result of successful CVE-2023-42793 exploitation, threat actors can steal source code along with stored service secrets and private keys. Moreover, successful exploitation attempts further give attackers the green light to inject malicious code after gaining access to the build process, which can lead to supply chain attacks and full system compromise. 

CVE-2023-42793 poses a threat to on-premises TeamCity devices, with the cloud software versions being unaffected. In response to the escalating risks, JetBrains issued a detailed blog post covering a thorough vulnerability analysis and how to eliminate its impact. The vulnerability has been patched in TeamCity version 2023.05.4.

As recommended CVE-2023-42793 mitigation measures, all users of the on-premises TeamCity server platforms are urged to update their software to the latest version. For those who are unable to upgrade, JetBrains has also released a security patch plugin to specifically address the above-mentioned RCE security bug. 

Cybersecurity researchers raise concerns about the CVE-2023-42793 exploitation in the wild since this critical flaw doesn’t require a valid account on the targeted system and is easy to weaponize by adversaries. With SOC Prime’s Uncoder AI, defenders can elevate their detection engineering procedures and preempt risks against emerging threats by coding faster with a built-in autocompletion wizard and automated rule logic & syntax checks, as well as auto-parse IOCs into custom search queries to instantly identify any intrusions and stop threats before they strike.