CVE-2019-18988

TeamViewer Desktop through 14.7.1965 allows a bypass of remote-login access control because the same key is used for different customers' installations. It used a shared AES key for all installations since at least as far back as v7.0.43148, and used it for at least OptionsPasswordAES in the current version of the product. If an attacker were to know this key, they could decrypt protect information stored in the registry or configuration files of TeamViewer. With versions before v9.x , this allowed for attackers to decrypt the Unattended Access password to the system (which allows for remote login to the system as well as headless file browsing). The latest version still uses the same key for OptionPasswordAES but appears to have changed how the Unattended Access password is stored. While in most cases an attacker requires an existing session on a system, if the registry/configuration keys were stored off of the machine (such as in a file share or online), an attacker could then decrypt the required password to login to the system.

CVSS v3 7.0 HIGH
CVSS v2.0 4.4 MEDIUM

7.0^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.0 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

4.4^/10

CVSS v2.0 : MEDIUM

Vector : AV:L/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 3.4 / Impact : 6.4

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://community.teamviewer.com/t5/Announcements/Specification-on-CVE-2019-18988/td-p/82264	Vendor Advisory
https://community.teamviewer.com/t5/Knowledge-Base/tkb-p/Knowledgebase?threadtype=label&labels=Security	Vendor Advisory
https://twitter.com/Blurbdust/status/1224212682594770946?s=20	Third Party Advisory
https://whynotsecurity.com/blog/teamviewer/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:teamviewer:teamviewer:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-02-07 16:15

Updated : 2023-12-10 13:13

NVD link : CVE-2019-18988

Mitre link : CVE-2019-18988

CVE.ORG link : CVE-2019-18988

JSON object : View

Products Affected

teamviewer

teamviewer

CWE

CWE-521

Weak Password Requirements

{"id": "CVE-2019-18988", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.4, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.0, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.0}]}, "published": "2020-02-07T16:15:10.033", "references": [{"url": "https://community.teamviewer.com/t5/Announcements/Specification-on-CVE-2019-18988/td-p/82264", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://community.teamviewer.com/t5/Knowledge-Base/tkb-p/Knowledgebase?threadtype=label&labels=Security", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://twitter.com/Blurbdust/status/1224212682594770946?s=20", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://whynotsecurity.com/blog/teamviewer/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-521"}]}], "descriptions": [{"lang": "en", "value": "TeamViewer Desktop through 14.7.1965 allows a bypass of remote-login access control because the same key is used for different customers' installations. It used a shared AES key for all installations since at least as far back as v7.0.43148, and used it for at least OptionsPasswordAES in the current version of the product. If an attacker were to know this key, they could decrypt protect information stored in the registry or configuration files of TeamViewer. With versions before v9.x , this allowed for attackers to decrypt the Unattended Access password to the system (which allows for remote login to the system as well as headless file browsing). The latest version still uses the same key for OptionPasswordAES but appears to have changed how the Unattended Access password is stored. While in most cases an attacker requires an existing session on a system, if the registry/configuration keys were stored off of the machine (such as in a file share or online), an attacker could then decrypt the required password to login to the system."}, {"lang": "es", "value": "TeamViewer Desktop versiones hasta 14.7.1965, permite omitir el control de acceso del inicio de sesi\u00f3n remoto porque la misma clave es usada para las instalaciones de diferentes clientes. Us\u00f3 una clave AES compartida para todas las instalaciones a partir, de al menos, hasta la versi\u00f3n v7.0.43148, y la us\u00f3 para al menos OptionsPasswordAES en la versi\u00f3n actual del producto. Si un atacante fuese conocido esta clave, podr\u00eda descifrar la informaci\u00f3n de protecci\u00f3n almacenada en el registro o en los archivos de configuraci\u00f3n de TeamViewer. Con versiones anteriores a v9.x, esto permit\u00eda a atacantes descifrar la contrase\u00f1a de Unattended Access en el sistema (que permite el inicio de sesi\u00f3n remoto en el sistema, as\u00ed como la exploraci\u00f3n de archivos sin encabezado). La \u00faltima versi\u00f3n a\u00fan utiliza la misma clave para OptionPasswordAES pero parece haber cambiado la manera en que se almacena la contrase\u00f1a de Unattended Access. Mientras que en la mayor\u00eda de los casos un atacante requiere una sesi\u00f3n existente en un sistema, si las claves de registro/configuraci\u00f3n fueron almacenadas fuera de la m\u00e1quina (como en un recurso compartido de archivos o en l\u00ednea), un atacante podr\u00eda descifrar la contrase\u00f1a requerida para iniciar sesi\u00f3n en el sistema ."}], "lastModified": "2020-08-24T17:37:01.140", "cisaActionDue": "2022-05-03", "cisaExploitAdd": "2021-11-03", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:teamviewer:teamviewer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1169616E-3D16-4688-8402-8E922F26B339", "versionEndIncluding": "14.7.1965"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "TeamViewer Desktop Bypass Remote Login Vulnerability"}