The Patches & Perils Of Coordinated Vulnerability Disclosure | Lessons To Learn From The Rapid7/JetBrains Kerfuffle

Listen on Spotify

In the latest episode of GreyNoise Labs Storm⚡️Watch, we delve into a meta-discussion that stems from an escalating feud between cybersecurity firm Rapid7 and software development company JetBrains over the disclosure of two critical vulnerabilities in JetBrains' TeamCity CI/CD platform. 

The contention stems from differing approaches to vulnerability disclosure, leading to public disagreements and a series of attacks exploiting these vulnerabilities, identified as CVE-2024-27198 and CVE-2024-27199. On February 20, 2024, Rapid7 disclosed these vulnerabilities to JetBrains, highlighting the severity of CVE-2024-27198, which allows for a complete authentication bypass, potentially enabling attackers to perform administrative actions on the server and its host environment.

JetBrains criticized Rapid7 for what it perceived as an uncoordinated disclosure, arguing that Rapid7's immediate release of exploit examples enabled attackers of any skill level to quickly exploit the vulnerabilities. This dispute has led to a "land-rush like assault" from threat groups, with ransomware attacks exploiting these flaws for initial access. Despite the contention, JetBrains remains committed to its Coordinated Disclosure Policy, emphasizing the importance of collaboration and ethical responsibility in addressing vulnerabilities. Meanwhile, Rapid7 insists on following its disclosure policy, emphasizing the importance of public disclosure to prevent silent patching and ensure that patches are thoroughly vetted.

Joining us for a cyberside chat is GreyNoise's own Matthew Remacle, who shifts the focus from the feud to discuss silent patching, patch diffing, coordinated disclosure, and offers advice for budding cybersecurity professionals.

For a comprehensive understanding of this issue, we reference discussions and analyses from various sources, including The Register, TechTarget, JetBrains' official blog, and Rapid7's blog, which provide insights into the vulnerabilities, the dispute, and the broader implications for cybersecurity practices and policies.

Citations:

• https://www.techtarget.com/searchsecurity/news/366572432/Critical-JetBrains-TeamCity-vulnerabilities-under-attack
• https://blog.jetbrains.com/teamcity/2024/03/preventing-exploits-jetbrains-ethical-approach-to-vulnerability-disclosure/
• https://blog.jetbrains.com/teamcity/2024/03/additional-critical-security-issues-affecting-teamcity-on-premises-cve-2024-27198-and-cve-2024-27199-update-to-2023-11-4-now/
• https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/
• https://news.ycombinator.com/item?id=39603074
• https://www.splunk.com/en_us/blog/security/security-insights-jetbrains-teamcity-cve-2024-27198-and-cve-2024-27199.html
• https://therecord.media/jet-brains-advisory-teamcity-vulnerabilities
• https://forums.theregister.com/forum/all/2024/03/12/jetbrains_is_still_mad_at/
• https://www.tenable.com/blog/cve-2024-27198-cve-2024-27199-two-authentication-bypass-vulnerabilities-in-jetbrains-teamcity
• https://www.theregister.com/2024/03/05/rapid7_jetbrains_vuln_disclosure_dispute/
• https://thecyberexpress.com/jetbrains-vs-rapid7-vulnerability-disclosure/amp/
• https://arcticwolf.com/resources/blog/2024-27198-and-cve-2024-27199/
• https://securityaffairs.com/159995/security/jetbrains-teamcity-flaws.html
• https://securityboulevard.com/2024/03/jetbrains-says-rapid7s-fast-release-of-flaw-details-harmed-users/
• https://socprime.com/blog/cve-2024-27198-and-cve-2024-27199-detection-critical-vulnerabilities-in-jetbrains-teamcity-pose-escalating-risks-with-exploits-underway/
• https://www.cybersecuritydive.com/news/jetbrains-teamcity-vulnerabilities/709329/
• https://www.cybersecuritydive.com/news/jetbrains-teamcity-exploited-disclosure/710017/
• https://www.bankinfosecurity.com/jetbrains-teamcity-bugs-could-lead-to-server-takeover-a-24520
• https://vulnera.com/newswire/critical-vulnerabilities-in-teamcity-pose-threat-to-software-supply-chain/

Can't Watch? Listen Here