Weekly Vulnerability Recap – December 18, 2023 – JetBrains TeamCity Exploits Continue

We Keep you Connected

Weekly Vulnerability Recap – December 18, 2023 – JetBrains TeamCity Exploits Continue

Jenna Phipps
eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
The impending holidays don’t mean a break from cybersecurity threats. This week’s news includes open-source software vulnerabilities, endangered data, and continued attacks from state-sponsored Russian threat groups. Google’s Dataproc security issues could be exploited not just through the analytics engine but through Google Compute Engine, too. And WordPress sites are vulnerable to code injection through plugin Backup Migration. Before your IT and security teams log off for the holidays, make sure to check for any outstanding updates or patches.
Type of vulnerability: Cross-site scripting and command injection.
The problem: Code analysis software SonarCloud found three vulnerabilities in open-source firewall software pfSense — two cross-site scripting (XSS) issues and a command injection vulnerability. NIST has cataloged the three vulnerabilities as CVE-2023-42325, CVE-2023-42327, and CVE-2023-42326. Used in conjunction, these vulnerabilities allow a threat actor to remotely execute arbitrary code on a pfSense server.
pfSense CE 2.7.0 and below and pfSense Plus 23.05.1 and below are susceptible to the vulnerabilities. While the vulnerabilities were discovered this summer, Sonar didn’t release its report until last week.
The fix: Sonar provides recommendations for patching the vulnerabilities, including patch commits from open-source networking vendor Netgate. Versions 2.7.1 and 23.09 of pfSense have also fixed this vulnerability.
Type of vulnerability: Unauthenticated access to Dataproc clusters.
The problem: Google’s data processing and analytics engine Dataproc has insufficient security controls on two open firewall ports. If a threat actor has the Dataproc IP address, they can access it without authenticating themselves. Orca Security’s research group released an article covering this vulnerability. When a threat actor gains access to an instance of Dataproc, they could view sensitive data being processed or stored.
The Orca team said that at the time of writing this article, Google hadn’t fixed the flaw, only identifying it as an Abuse Risk. Google offers information about the dangers of open firewall rules, but not the possibility that a threat actor could access Dataproc through Google Compute Engine, which Orca pointed out.
The fix: Orca Security scans Dataproc clusters and notifies Orca customers when an instance of Dataproc is misconfigured. Orca also offers remediation recommendations and code to fix the issue. This only applies to Orca customers; at this point, Google hasn’t offered an overall solution.
Type of attack: Authentication bypass resulting in server access.
The problem: The National Security Agency (NSA) released a press announcement last week concerning active exploits of a JetBrains TeamCity server exploit. According to the NSA, threat actor groups like APT29 and CozyBear, which make up the Russian Foreign Intelligence Service (SVR),  have been exploiting the known vulnerability since September 2023. Among the victims so far are businesses in the medical and financial industries.
Threat actors use the vulnerability known as CVE-2023-42793 to access the TeamCity servers and take further action, including escalating their privileges. The goal for these threat actors is long-term access to the servers.
The National Security Agency (NSA), Federal Bureau of Investigation (FBI), and other organizations developed a detailed bulletin, a Cybersecurity Advisory (CSA) designed to help teams respond.
The fix: The bulletin from the CSA provides multiple suggestions for mitigation. Navigate to the Mitigations section for specific recommendations, including patching per JetBrains’ already-released fix and enabling antivirus and endpoint monitoring products.
Type of attack: PHP code injection and remote code execution.

The problem: Backup Migration, a WordPress plugin installed on tens of thousands of websites, has a vulnerability allowing remote code execution. The vulnerability, CVE-2023-6553, affects every version of Backup Migration until version 1.3.6. A threat actor can use the /includes/backup-heart.php file to inject PHP code and bypass user interaction to execute code remotely on the affected website.
The team for Wordfence, a WordPress security plugin, discovered this bug and reported it to BackupBliss, the developers.
The fix: After receiving the report from Wordfence, the developers of Backup Migration released a patch earlier in December for the vulnerability, included in version 1.3.8. Experts recommend that WordPress admins update Backup Migration to the latest version so their sites aren’t compromised. Multiple WordPress sites aren’t updated and are still vulnerable, though. Check your site’s version of Backup Migration if you have the plugin installed.
Type of vulnerability: Parameter manipulation allowing path traversal and potential remote code execution.
The problem: The Apache Software Foundation announced a software flaw in Apache Struts 2, an open-source framework for developing Java applications. The vulnerability allows threat actors to manipulate parameters and enable path traversal, according to NIST. This could allow them to upload malicious files and execute remote code. Versions affected include Struts 2.0.0 – Struts 2.3.37 (end of life), Struts 2.5.0 – Struts 2.5.32, and Struts 6.0.0 – Struts 6.3.0.
The fix: NIST suggests upgrading Apache Struts to versions 2.5.33 or or greater to fix this issue.
Next, read about the stages of the vulnerability management lifecycle, which include assessing, prioritizing, and reassessing weaknesses in your IT environment.
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.
Previous article
Next article
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

See full list
Subscribe to Cybersecurity Insider for top news, trends & analysis
eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.
Advertise with TechnologyAdvice on eSecurity Planet and our other IT-focused platforms.
Our Brands
Property of TechnologyAdvice.
© 2023 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.