Hopefully someone here can help me with an issue I'm facing with TeamCity at the moment. I work for a federal agency and security measures are increasing across the federal space. We've been using TeamCity for about a year now and it was recently flagged as a security vulnerability by a security tool used here called Nessus. We were using TeamCity 8.1 and the results of the assessment instructed that we upgrade to version 10.0 or later (the full report details are below) because the version we were using used bidirectional communication and we needed to use unidirectional communication. We upgraded to version 10.0.3 and saw that unidirectional was the default so we thought we would pass the scan after that. Unfortunately, we still fail the scan with the reason being that the agent can behave as multidirectional even though unidirectional is enabled.
Ultimately, we just want to pass the security scan, so is there a way that the bidirectional communication can be disabled completely? If not, do you have any suggestions on how to resolve this issue. Again the details of the scan results are below.
Plugin ID: 94675
Plugin Name: JetBrains TeamCity Agent XML-RPC Port RCE
JetBrains TeamCity agent is running on the remote host. It is, therefore, affected by a remote command execution vulnerability due to the agent behaving as a multidirectional agent even when the unidirectional protocol is enabled. An unauthenticated, remote attacker can exploit this to execute commands via the XML-RPC port, resulting in the disclosure of sensitive information, a denial of service condition, or the execution of arbitrary shell commands.
Upgrade JetBrains TeamCity agent to version 10.0 (42002) or later and use unidirectional agent communication.
Risk Factor: Critical