[German]A short warning to readers who use the TeamViewer remote maintenance software still with a "personal password". The client for Windows should urgently be updated to version 15.51.5. The manufacturer has published a security notice stating that older software versions only offer incomplete protection of personal password settings. Here are the details what you need to know.
Advertising
TeamViewer is a proprietary software for remote access, remote control and remote maintenance of computers and other end devices that was released in 2005. I came across the information via the following tweet that TeamViewer has published the security warningTV-2024-1001 (Incomplete protection of personal password settings) .
The provider TeamViewer warns of the vulnerability CVE-2024-0819 in its remote maintenance client for Windows, Linux and macOS. By improperly initialising the default settings in the TeamViewer Remote Client prior to version 15.51.5 for Windows, Linux and macOS, a user with low privileges can increase their rights. This is possible by changing the setting for the personal password and establishing a remote connection to a logged-in admin account, according to the NIST page.
The vendor is a little more specific and writes that a vulnerability was found in the TeamViewer client prior to version 15.51.5 that could allow an unprivileged user on a multi-user system to set a personal password.
In the Teamviewer client prior to version 15.51.5, access to the personal password setting does not require administrator rights. A low privileged user on a multi-user system who has access to the client can set a personal password. This may allow an unprivileged user to establish a remote connection to other currently logged in users on the same system.
Advertising
The vulnerability has a CVSS 3.0 score of 7.8 (High) and affects all client versions prior to version 15.51.5 that use a personal password. The problem has been fixed with version 15.51.5..
- Teamviewer Remote Full Client < 15.51.5 Update available
- Teamviewer Remote Host < 15.51.5 Update available
TeamViewer clients with activated setting "Changes require administrative rights on this computer" or additional security functions, e.g:
- Password options
- Conditional access
- BYOC
- Block & Allow List
Access control
TFA for connections
One-time password
that are active and correctly configured are not affected. TeamViewer recommends the use of Easy Access for unattended access. In combination with two-factor authentication, this protection covers access to the TeamViewer account and any computer that is supported via TeamViewer.
