Statement on Recent Post - CVE-2019-18988

Hi all,

TeamViewer is safe to use. You may have seen a recent blog post and subsequent Social Media discussions regarding the reverse engineering of some locally stored TeamViewer settings. While our security engineers are looking into this issue with all due diligence, we would like to stress that we do not deem it highly critical upon first assessment.

The issue does not affect TeamViewer account passwords needed to log into TeamViewer. Also, in order to take advantage of the issue, someone would need to have already gained access to a user’s system via other means.

Regardless of our assigned criticality, we certainly take the provided information very seriously as it shows that there is room for improvement, which we are already addressing. We will be reaching out to the researcher to discuss his findings and will update you on our potential mitigation steps shortly.

Again, TeamViewer is safe to use. As always, we encourage our users to always use the latest TeamViewer version and to keep their systems updated. Please do not hesitate to contact our support team with any questions you might have.

Best regards,
Natascha

Find more posts tagged with

Security

Announcement

Comments

JoshP

Hello @whitefish @C0ntr07 @QuillOmega0 @JulioRossini

Thank you all for your feedback.

We have posted a more in-depth explanation of the findings here.

whitefish

It appears there is a new hack. This blog report was created Feb, 2, 2020 posted Feb. 3rd (yesterday). The hacker was using Teamviewer 7 and 14 ( no word on version 15 ).

Is there a newly found vulnerability?

https://whynotsecurity.com/blog/teamviewer/

C0ntr07

Natascha your statements, "we do not deem it highly critical upon first assessment" and " TeamViewer is safe to use" shows a complete lack of taking this matter seriously. While you might not understand the potential impact, those of us with Global Security responsibilities certainly do.

TeamViewer really didn't take this that seriously - did you?

Timeline:

November 05th, 2019: Reach out to @TeamViewer_help on Twitter
November 05th, 2019: Send email to the Director of Security
November 14th, 2019: Request CVE based on precedent set by CVE-2014-1812
November 15th, 2019: Receive CVE-2019-18988
November 15th, 2019: Send email to Director of Security notifying them there is now a CVE assigned to this
November 18th, 2019: Receive first and only email back from vendor “We’re looking into it” email
January 13th, 2020: Status update request email sent to Director of Security
February 03rd, 2020: Publish writeup

If your position turns out to be inaccurate, will you accept financial responsiblity for our loses?

I thought not.

FYI - here is the POC https://github.com/rapid7/metasploit-framework/pull/12900

QuillOmega0

So when you say:

@Natascha wrote:
Hi all,
TeamViewer is safe to use. You may have seen a recent blog post and subsequent Social Media discussions regarding the reverse engineering of some locally stored TeamViewer settings. While our security engineers are looking into this issue with all due diligence, we would like to stress that we do not deem it highly critical upon first assessment.
The issue does not affect TeamViewer account passwords needed to log into TeamViewer. Also, in order to take advantage of the issue, someone would need to have already gained access to a user’s system via other means.
Regardless of our assigned criticality, we certainly take the provided information very seriously as it shows that there is room for improvement, which we are already addressing. We will be reaching out to the researcher to discuss his findings and will update you on our potential mitigation steps shortly.
Again, TeamViewer is safe to use. As always, we encourage our users to always use the latest TeamViewer version and to keep their systems updated. Please do not hesitate to contact our support team with any questions you might have.
Best regards,
Natascha

This means any domain joined computer with multiple user accounts now has a user able to elevate to local adminsitrator rights?

Do you now see how that can be a problem?

JulioRossini

The vulnerability notice was made more than two months ago.

Security team must have taken the warning seriously.
https://whynotsecurity.com/blog/teamviewer/