Statement on recent brute-force research (CVE-2018-16550)

Dear TeamViewer Community,

We are aware of the brute-force vulnerability that was brought to our attention by a security researcher. Data security has top priority at TeamViewer. Therefore, we are currently evaluating this case and will inform our users as soon as we have an appropriate solution.

For the time being, users can strengthen their passwords by going to Extras | Options | Security | password strength and select a password strength of 6 characters and above.

Please find out more about setting up strong passwords on our community : All about passwords. As with every software, our recommendation is to have strong passwords to protect your devices.

Best regards,

Esther

Find more posts tagged with

Security

Accepted answers

Esther

Hi all,

As with every software, our recommendation is to have not only strong but also unique passwords to protect your devices.

You are always able to increase the complexity of the random TeamViewer password for spontaneous access to up to 10 characters, work with a personal password or use easy access. For TeamViewer versions for Windows, macOS, and Linux the default password strength has changed from 4 digits to 6 characters.
As always, we recommend only to download TeamViewer from our download page and never from any third party page: https://www.teamviewer.com/download

Please make sure to always use the latest version of a release.
For the sake of completeness are these the latest releases for TeamViewer 10, 11, 12, 13, and 14 (as of today: April 25th, 2019)

TeamViewer 10:
Windows: 10.0.134865
macOS: 10.0.140455
Linux: 10.0.140685

TeamViewer 11:
Windows: 11.0.133222
macOS: 11.0.140568
Linux: 11.0.137769

TeamViewer 12:
Windows: 12.0.181268
macOS: 12.0.139437
Linux: 12.1.83885

TeamViewer 13:
Windows: 13.2.36215
macOS: 13.2.75535
Linux: 13.2.75536

TeamViewer 14:
Windows: 14.2.8352
macOS: 14.2.8352
Linux: 14.2.8352

Thanks and best,

Esther

All comments

Esther

Hi all,

As with every software, our recommendation is to have not only strong but also unique passwords to protect your devices.

Please make sure to always use the latest version of a release.
For the sake of completeness are these the latest releases for TeamViewer 10, 11, 12, 13, and 14 (as of today: April 25th, 2019)

TeamViewer 10:
Windows: 10.0.134865
macOS: 10.0.140455
Linux: 10.0.140685

TeamViewer 11:
Windows: 11.0.133222
macOS: 11.0.140568
Linux: 11.0.137769

TeamViewer 12:
Windows: 12.0.181268
macOS: 12.0.139437
Linux: 12.1.83885

TeamViewer 13:
Windows: 13.2.36215
macOS: 13.2.75535
Linux: 13.2.75536

TeamViewer 14:
Windows: 14.2.8352
macOS: 14.2.8352
Linux: 14.2.8352

Thanks and best,

Esther

Scotty

Hi everyone,

A patch for the issue is currently being rolled out for TV13 and an expanding range of legacy versions. To trigger the update, open TeamViewer and click on “help > check for new version”.

On a side note, and to adapt to nowadays technological reality, we changed the default password setting from 4 to 6 characters. Users will still be able to use a 4 digit password, however they will have to proactively reduce the password strength.

All the best,
-Scotty

rdubois

Dear,

Is there an update regarding this potential vulnerability ? Is it confirmed ?

regards,

R. Dubois

Esther

Hi @rdubois

We are working on a solution which will be provided soon.

There is an option to avoid this by default and we recommend this in the meantime.

Please find out more about setting up strong passwords on our community : All about passwords. As with every software, our recommendation is to have strong passwords to protect your devices.

Best, Esther

kjulson

There seems to be a big disconnect on who you think your users are Scotty. "To trigger the update, open TeamViewer and click on “help > check for new version”." Do you really think that is the best upgrade option for businesses with hundreds of installations?

Also, you are assuming that everyone is on version 13. Any previous version performing your suggested "upgrade method" will install version 13 which they are not licensed for. Now they cannot connect to their remote systems. Obviously not much thought was given on the content of this post.

How about we do this a little more professionally and give links to download the various versions?

Esther

Hi all,

we enabled the auto-update for the most recent TeamViewer update which includes the patch for the issue.

The update will be installed automatically on all TeamViewer clients which have the auto-update enabled under Extras --> Options --> Advanced --> Show advanced options --> Check for new versions: Daily and Install new versions automatically --> Updates within this major version or All updates.

Please be aware that the auto-update might take a few days until it reaches all clients.

We are working on further extending the fix as much as we can.

Thanks and all the best, Esther

thop

Hi Esther

Our user network have installed version 7 TeamViewer clients using the custom module, ie. with our logo and provides a simplified interface.

The simplified interface does not provide a 'check for updates' option.

Does it have any auto-update facility built in?

If not, is our only means to contact our user base and ask them to manually update their software?

Many thanks for your help

Kind regards

Tom

Esther

Hi Tom

Thanks for your post.

Yes, the QuickSupport module automatically checks for new update each time as it is being downloaded from our infrastructure. So when you are working with the SOS button or the module linked to the link provided via the Management Console "get.teamviewer.com/yourcustomizedname" it will always download the latest version of the main version you created the QuickSupport for.

Thanks, Esther

danielf

Thank you for adding the CVE here, it makes it easier to find.

One further question arises: which versions of TV contain the fix for this issue? Scotty mentioned new, fixed versions being made available on October the 4th, however on the download page the available Windows version is 13.2.14327, which according to this post has been release in August. Therefore it cannot possibly contain the mentioned fix.

A list of versions (ideally one for each platform, e.g. Windows, macOS, etc) would be helpful in order to be able to easily determine whether one is affected by this or not.

Thanks for your support!

Esther

Hi Daniel,

I am afraid the version number on the web page is not up to date. I am checking internally to get this fixed. But I can assure you: when downloading TeamViewer 13 from our site, you´re getting the fixed version and a higher version number.

Regarding the fixed version numbers, I am checking with the team and will post further communication addressing the CVE soon.

Thanks again,

Esther

danielf

Hi Esther,

any news regarding the exact fixed versions?

Esther

Hi @danielf

While TeamViewer 14 is being released - of course including the fix - our main focus is on adapting the patch to older versions which requires an enormous amount of time.

I will keep you updated on any news in this thread.

Thanks and best,

Esther

rika

kermit5

Could you please confirm that the patch has also been rolled out in TV Versions 10 to 12 and not only in TV 13?

Esther

Hi @kermit5

Please see my post here.

Thanks and best,

Esther