How to find TeamCity instances
How to find TeamCity assets? #
On September 20th, JetBrains announced a critical authentication bypass vulnerability that impacts users running the TeamCity On-Premises product. The vulnerability is being tracked using CVE-2023-42793 and presents the weakness of CWE-288 (Authentication Bypass Using an Alternate Path or Channel). Successfully exploiting this vulnerability would allow an unauthenticated remote attacker to perform a Remote Code Execution (RCE) attack and gain administrative access to the underlying system.
What is JetBrains TeamCity? #
TeamCity is a product that allows customers to combine the practices of Continuous Integration with Continuous Delivery, or CICD to build and deliver their software. This makes the patching of this vulnerability of higher importance since it would allow an attacker a potential foothold into the supply chain of products built using the TeamCity On-Premises product. Although JetBrains provides a cloud-hosted instance of TeamCity, only customer-hosted instances, which include the Professional and Enterprise editions are currently affected by the vulnerability.
Are updates available? #
JetBrains has issued a patch for the vulnerability in revision 2023.05.4, encouraging all users to upgrade. For users that cannot immediately apply the update, a security patch plugin is also available. More information can be found on JetBrain’s website.
How do I find potentially vulnerable versions of TeamCity with runZero? #
TeamCity On-Premises assets can be found by navigating to the Asset Inventory and using the following pre-built query to locate TeamCity services on your network:
Results from the above query should be triaged to determine if they require patching or vendor intervention.
November 9, 2023
How to find SysAid Help Desk instances
How to find SysAid Help Desk instances # On the evening of November 8th Microsoft Threat Intelligence announced that they had discovered attacks by a ransomware gang against the SysAid Help Desk software using a zero-day exploit (CVE-2023-47246). These attacks leveraged a …Read More
November 1, 2023
How to find Apache ActiveMQ instances
How to find Apache ActiveMQ® instances # On October 25th the Apache team announced a vulnerability (CVE-2023-46604) in ActiveMQ that could lead to unauthenticated remote code execution. Shortly after the issue was disclosed exploits started to appear and the Rapid7 MDR team …Read More
October 30, 2023
Finding NGINX Ingress Controllers with runZero
Today, three vulnerabilities in the NGINX Ingress Controller for Kubernetes were disclosed, as described in this article from The Hacker News. These vulnerabilities have CVSS scores ranging from 7.6 to 8.8; all of these scores are considered high. These vulnerabilities have …Read More