Help with ensuring unidirectional protocol

Answered

Hi,

Hopefully someone here can help me with an issue I'm facing with TeamCity at the moment. I work for a federal agency and security measures are increasing across the federal space. We've been using TeamCity for about a year now and it was recently flagged as a security vulnerability by a security tool used here called Nessus. We were using TeamCity 8.1 and the results of the assessment instructed that we upgrade to version 10.0 or later (the full report details are below) because the version we were using used bidirectional communication and we needed to use unidirectional communication. We upgraded to version 10.0.3 and saw that unidirectional was the default so we thought we would pass the scan after that. Unfortunately, we still fail the scan with the reason being that the agent can behave as multidirectional even though unidirectional is enabled.

Ultimately, we just want to pass the security scan, so is there a way that the bidirectional communication can be disabled completely? If not, do you have any suggestions on how to resolve this issue. Again the details of the scan results are below.

Thanks,
Dwayne

Plugin Details

Plugin ID: 94675
Family: RPC
Plugin Name: JetBrains TeamCity Agent XML-RPC Port RCE

Description

JetBrains TeamCity agent is running on the remote host. It is, therefore, affected by a remote command execution vulnerability due to the agent behaving as a multidirectional agent even when the unidirectional protocol is enabled. An unauthenticated, remote attacker can exploit this to execute commands via the XML-RPC port, resulting in the disclosure of sensitive information, a denial of service condition, or the execution of arbitrary shell commands.

Solution

Upgrade JetBrains TeamCity agent to version 10.0 (42002) or later and use unidirectional agent communication.

Risk Factor: Critical

8 comments
Comment actions Permalink

Hello,

Any help on this issue would be much appreciated by you guys. If not, we'll most likely have to go with another solution for deployments.

Thanks!

0
Comment actions Permalink

Sorry for delay, most of the team are still on holidays. In case of urgent requests please use our support channel.

First of all please make sure you're running TeamCity 10.0.4, as there were additional fixes: https://youtrack.jetbrains.com/issue/TW-41792

To force all of the agents to use uni-directional protocol you need to specify the following internal property on the server:

teamcity.agent.communicationProtocols=polling

You'll need to restart server to make agents re-connect to the server.

You can check that all of the agents are using polling on Agents -> Parameters report tab. Search for teamcity.agent.protocol parameter.

More about server internal properties: https://confluence.jetbrains.com/display/TCD10/Configuring+TeamCity+Server+Startup+Properties#ConfiguringTeamCityServerStartupProperties-TeamCityinternalproperties

0
Comment actions Permalink

Hi Pavel,

Thanks for the assistance. If I read the issue you flagged correctly, upgrading to 10.0.4 should resolve my issue, or do I also need to also specify the internal property that you referenced as well. Currently, when I query the teamcity.agent.protocol parameter in the Agents -> Parameters Report it returns the polling value which is what we want, but the security scan still is still able to send commands to the XML-RPC port. Hopefully 10.0.4 will ensure that this is no longer the case.

Thanks again,
Dwayne

0
Comment actions Permalink

Yes, upgrade to 10.0.4 should disable XML-RPC port on agents as well.

0
Comment actions Permalink

Awesome! Thank you so much. I'll make the upgrade and let you know if there are still any issues.

0
Comment actions Permalink

Hi Pavel,

I just wanted to report back success! The security vulnerability has been removed with the installation of 10.0.4. Thanks again for all of your help. You guys can mark this issue as Answered.

Best Regards,
Dwayne

0
Comment actions Permalink

Hi,
We are running 2017.1.1 (build 46654), and have the same issue, as our agent was flagged as vulnerable to critical exploitable. 

We do use unidirectional agent communication, the property teamcity.agent.communicationprotocol is polling.  Any ideas?

0
Comment actions Permalink

Hi curios,

Seems like the agent cannot establish unidirectional connect and falls back to polling.
Check your reverse proxy settings/logs. You might also want to try connecting the agent directly to the TeamCity server port to check if the proxy is to blame.

logs\teamcity-agent.log can also have details why the agent does not connect using unidirectional protocol.

0

Please sign in to leave a comment.