[English]In der Fernwartungssoftware AnyDesk für Windows gibt es bis Version 8.1.0 eine Schwachstelle (CVE-2024-52940, Base-Score 7.5). Werden in den betroffenen Windows-Versionen von AnyDesk Windows Direktverbindungen zulassen aktiviert, legt die Software versehentlich eine öffentliche IP-Adresse im Netzwerkverkehr offen.
Anzeige
Der Angreifer muss die AnyDesk-ID des Opfers kennen, um das auszunutzen. Auf dieser GitHub-Seite legt Ebrahim Shafiei die Details offen. Es gibt ein Tool, Abdal AnyDesk Remote IP Detector genannt, als Proof-of-Concept (PoC), das diese Zero-Day-Schwachstelle ausnutzt. Entdeckt wurde die Schwachstelle am 27. Oktober 2024 in der AnyDesk-Funktion "Allow Direct Connections" entdeckt wurde.
Ist diese Option aktiviert und der Verbindungsport nur auf dem System des Angreifers auf 7070 eingestellt, kann ein Angreifer die öffentliche IP-Adresse eines Ziels nur mit Hilfe der AnyDesk-ID abrufen. Es müssen keinen Konfigurationsänderungen auf dem Zielsystem vorgenommen werden.
Befinden sich beide Systeme im selben Netzwerk, kann der Angreifer außerdem die private IP-Adresse des Zielsystems abrufen. Der Entdecker schreibt, dass diese Schwachstelle ein erhebliches Risiko für die Privatsphäre darstellt, insbesondere bei unzureichend geschützten Sicherheitskonfigurationen des Fernzugriffstools. Details sind der verlinkten Github-Seite zu entnehmen. Es gibt wohl noch keinen Patch für die Schwachstelle.
Anzeige
Beeindruckt mich jetzt nicht sonderlich, aber vielleicht verstehe ich auch was falsch.
:))))
Hatten wir schon lange nicht mehr! Ich bin begistert und habe nur Schadenfreude übrig. Wer es immer noch nicht verstanden hat, muss untergehen.
Wir haben schon lange nur noch VPNs im Einsatz. Und der Kunde der nicht 180 Euronen für ein AlixBoard mit OPNSense/pfSense ausgeben wollte, wurde gekündigt.
Für mal eben bei der Verwandschaft auf den Rechner zu kommen, ja okay. Eben NEU runterladen und einmalig ausführen. Aber egal in welchem Business gehört der Müll nicht dauerhaft installiert.
Und wenn ich dann lese das unsere KRITIS teilweise Fortinet/PaloAlto oder Cisco Disco einsetzt, wundern mich die täglichen Hacks nicht…
Aber wie Heute erfahren ist Windows das sicherste OS der Welt..
Irgendwie verstehe ich das Problem nicht.
Diese „Schwachstelle" ermöglicht doch keinerlei Zugriff auf das System sondern gibt nur die öffentlich IP Preis, oder sofern sich Angreifer und Ziel im selben Netzwerk befinden, die lokale IP.
Letzteres ist völlig irrelevant, wenn der Angreifer sich schon im selbem Netzwerk befindet ist das wirklich das letzte worüber man sich Gedanken machen muss.
Und was bringt dem Angreifer die öffentliche IP?
Nix, denn er kommt nicht am Router vorbei.
Da ist ja jeder zufällige Portscan auf die öffentliche IP potenziell gefährlicher.
Dear Chris,
The AnyDesk IP Leak vulnerability, while seemingly minor, carries significant risks that should not be overlooked:
1. Confidentiality and the Security Triad: Confidentiality is one of the core pillars of the security triad (Confidentiality, Integrity, Availability), which ensures the protection of sensitive information. This vulnerability directly compromises this pillar by exposing public IP addresses without user consent. Such exposure undermines user privacy and can be exploited for malicious purposes, including profiling or targeted attacks.
2. Privacy Concerns: Public IP addresses reveal more than just a series of numbers. They allow attackers to approximate the user's geographic location, identify the Internet Service Provider (ISP), and determine whether the user is connected via VPN, proxy, or a data center. This information is highly valuable for attackers seeking to build profiles of their targets or tailor attacks specifically to them.
3. Local Network Exploitation: If an attacker shares the same network as the target, the private IP address can be used to identify specific devices on the network. This opens the door for further exploitation, such as lateral movement or direct attacks on other devices.
4. Ease of Exploitation: The simplicity of this vulnerability is particularly concerning. An attacker requires no interaction or approval from the target. Merely possessing the target's AnyDesk ID and enabling "Allow Direct Connections" on their system is enough to extract sensitive IP information.
5. AnyDesk's Responsibility: As a provider of remote desktop solutions, AnyDesk has a fundamental obligation to protect the privacy and security of its users. Sensitive information, such as IP addresses, should never be exposed without explicit consent. This breach of confidentiality not only undermines user trust but also poses significant security risks for individuals and organizations relying on the platform.
While an IP leak might appear trivial, the reality is far more concerning. Exposed IP addresses can be leveraged for a variety of attacks, including Distributed Denial of Service (DDoS), phishing, and even advanced profiling for spear-phishing campaigns. AnyDesk must address this vulnerability promptly to uphold its reputation and fulfill its responsibility to safeguard user data.
Kind regards,
Dear Ebrahim
1. Every website I visit can see my public IP address, so sharing the public IP is the rule rather than the exception when browsing the web
2. Same as 1. the public IP is no secret at all
3. If the attacker is already on the same network, a port scan on port 7070 reveals the same information. At that point, Anydesk is no longer the issue—and they wouldn't even need to know the AnyDesk ID for this.
4.Sames as 1. and 2., the Public IP ist not a sensitive Information
5. I agree that the vulnerability needs to be fixed, but it currently poses no greater risk than any random port scan targeting the public IP.
In summary:
While Anydesk may reveal the public IP in this scenario, this information alone is far from enough to constitute an immediate threat. The real question to ask here is whether an Anydesk installation makes a system a more attractive target via its public IP. In my opinion, the answer is no. A public IP becomes an attractive target only if it has port forwarding enabled or if access to a router via the WAN interface is active. These vulnerabilities, however, are not dependent on an Anydesk installation.
Dear Chris,
Thank you for your detailed response. Your points are valid from the perspective of a typical user who may not hold critical or sensitive data on their system. Many users indeed overlook security vulnerabilities with the rationale that, "If hacked, I can simply reinstall Windows and move on." However, when we elevate the discussion to an organizational or national security level, this seemingly minor issue can have profound implications.
# Let me address your points while adding perspective:
## 1. "Every website I visit can see my public IP."
When you visit a website, you do so with awareness and consent, knowing that your public IP address will be visible to the website. This is a conscious decision on your part. However, with the AnyDesk vulnerability, the situation is fundamentally different. Here, an attacker can retrieve your public IP address without your knowledge or explicit consent. This lack of consent is a significant privacy violation and a notable distinction from casual web browsing.
## 2. "The public IP is no secret at all."
While it is true that a public IP address is not "secret," it is still protected under privacy laws such as the BDSG (German Federal Data Protection Act) and the GDPR (General Data Protection Regulation). These laws consider public IP addresses as personal data, and exposing them without user consent constitutes a violation of user rights. According to these frameworks, AnyDesk's exposure of this data can be seen as a breach of digital privacy, making it part of the user's protected assets.
Furthermore, as I mentioned earlier, the criticality of this issue depends entirely on perspective. While it may appear insignificant to a casual user, it becomes a substantial privacy and security concern in sensitive contexts, such as organizational or governmental environments.
## 3. "An attacker on the same network can get the IP via port scanning."
It seems that there might be a misunderstanding about how the vulnerability works. There is no need to perform a port scan on port 7070 to exploit this vulnerability. The attack functions in such a way that only the attacker needs to have the settings configured on their system, not the target.
This eliminates the additional step of actively scanning the target's system. As long as the attacker's system has the "Allow Direct Connections" option enabled and port 7070 configured, they can obtain the target's public (and private, if in the same network) IP address simply by entering the target's AnyDesk ID and initiating a connection.
This significantly lowers the barrier for exploitation, making it easier and faster for attackers to compromise user privacy, especially in shared or public networks.
## 4. "Public IP is not sensitive information."
While you argue that the public IP is not sensitive, cybersecurity best practices consider it so, particularly in organizational environments. Even in non-critical scenarios, public IP exposure can be the starting point for attacks such as Distributed Denial of Service (DDoS) or systematic port scanning, especially for servers or endpoints with exposed services.
## 5. "This poses no greater risk than a random port scan."
The difference lies in specificity. A random port scan involves millions of IPs, while the AnyDesk vulnerability allows targeted reconnaissance. With only the AnyDesk ID, an attacker can pinpoint a system's IP and tailor their approach accordingly.
# Answer to Your Question: Does AnyDesk Make Systems More Attractive Targets?
The answer depends on the scenario:
For Regular Users: You are partially correct; a public IP without exposed ports may not make a typical system an attractive target.
For Servers or Static IPs: Systems with static IPs and critical services mapped to external ports become prime targets. For instance, if port forwarding is enabled for RDP (port 3389) or other critical services, an attacker can use the revealed public IP to identify the server and begin exploitation attempts.
In environments where operational security (OPSEC) is paramount—such as espionage, military operations, or corporate R&D—a public IP leak can be catastrophic. For example, revealing the approximate location of an operative or server can expose projects costing millions of dollars and jeopardize national or organizational security.
===========================
# A Personal Note
Chris, I want you to know that my passion is people and creating a safer world for everyone. My work is driven by love and a desire to make our digital spaces secure. I also have a deep respect for Germany and its people, which is why I am committed to helping German companies grow and thrive.
As a cybersecurity researcher, I have chosen a mission for myself: to serve humanity through my scientific expertise. Every vulnerability I uncover and every solution I propose is part of this larger mission to protect lives and foster trust in the digital age.
Yours sincerely,
Ebrahim Shafiei
oh"Confidentiality and the Security Triad: Confidentiality is one of the core pillars of the security triad (Confidentiality, Integrity, Availability), "
Mann, was ist denn das für ein Stuss
früher hieß es:
Ther ist No Security by obscurity.
und jetzt soll eine öffentliche IP eine Gefahr darstellen?
Anydesk? War da nicht was…? Achso, ja ist per Applocker über potentielle Dateinamen und Herstellersignaturen gesperrt. Tja…