Statement on CVE 2020-13699

Hi all,

Today we are releasing some updates for TeamViewer 8 through 15, for the Windows platform.

We implemented some improvements in URI handling relating to CVE 2020-13699.

Please see our Change Logs here.

Nota Bene: Thank you, Jeffrey Hofmann with Praetorian, for your professionalism and following a responsible disclosure model. We are grateful that you reached out to us and that you could confirm the fix of your findings in the latest release.

All the best,

Esther

Find more posts tagged with

Security

Announcement

Comments

jcdelclisard

Hi @Esther,

You mentionned that it impacts modules using the installer. Can you confirm that it does not affect at all QuickSupport version and that we don't need to update it at our customer premises because you indicate that the latest version can be downloaded from your website.

Thanks

Esther

Hi @chad3

It impacts modules using the installer. That means the TeamViewer Host and the full version.

Every QuickSupport downloaded now from our website, or the customized links will be on the latest version automatically. There is no need to update them proactively.

Thanks and best,

Esther

chad3

Does this vulnerbility applies to TeamViewerQS?

Sascha2

@A2theB wrote:
I would think that being able to setup auto-updates for the MSI version would be strongly desired by many and is a sure miss here by the TeamViewer team.

not for me, one of the first things i want to disable is the update notification. If you use MSI for installation you mostly use some software deployment and the the last thing you want is that some program is updating itself to a non-tested version with some special updater process (which also needs admin rights)

A2theB

Why would the MSI version not be configurable for auto-update? That's the main benefit of using an MSI is you can deploy it to a lot of machines in an automated fashion. I would think that being able to setup auto-updates for the MSI version would be strongly desired by many and is a sure miss here by the TeamViewer team.

Esther

Hi @davidvr

The CVE describes one of the possible scenarios - you could call it the worst-case scenario but with the update, we also fixed other scenarios that could happen.

Best, Esther

davidvr

I'm afraid that is not a very clear answer.

The URI is how the exploit is executed, and if I understand your answer, the code is there but not actually activated in the host module. That would lead me to believe that after the host module is installed, there is no way to craft a webpage that would utilize the host module to get the system account credentials which is the main concern around this CVE.

Esther

Hi @davidvr

Thanks for your question.

Yes - it is correct that Host modules cannot launch a session, however - the URI handler is part of the installer and as the Host module is installed it is in there.

Hope that helps,

Esther

davidvr

To my knowledge, the Host module has never had URI handling built into it because it never was able to launch a session. Please explain how that would be affected.

mLipok

@Esther wrote:
Hi @mLipok @Sascha2

First of all, as you already know, there is no build-in feature for this.

Also, TeamViewer does not officially support such a deployment. However, I talked to our engineers, and they mentioned a work-around.

.....

thank you for this information

Of course I suppose that there is no built in feature, and chcecked it twice.
But was wondering if this is possible.

I will try this workaround ASAP.

Esther

Hi @danny4

Every QuickSupport downloaded now from our website, or the customized links will be on the latest version automatically. There is no need to update them proactively.

Hi @techmavcr

We released an update for TeamViewer 9 as well.

Please find it here: Download TeamViewer 8 and 9 (This version will work with your license for TeamViewer 9).

I posted the Change log here: [Windows] v9.0.258860 - Change Log

Hi @agazpar

As @Fiona_G already mentioned, you can find the downloads for TeamViewer 8 and 9 in our Community Download TeamViewer 8 and 9

Thanks and best,

Esther

Hi @mLipok @Sascha2

First of all, as you already know, there is no build-in feature for this.

Also, TeamViewer does not officially support such a deployment. However, I talked to our engineers, and they mentioned a work-around.

Please know, that

we do not recommend doing this and
we do not support this and
in case of any issues, our support can and will not be able to assist you

If you still want to give it a try: you could set the registry values for the autoupdate

UpdateCheckInterval=3

UpdateChannel=2

Please keep in mind that

the MSI will not make any updates regardless of the registry value you entered
It may talk a while until the next update will be started
the TeamViewer service must be restarted for the changes to take effect in the registry.

One important thing I´d like to mention is that the best way is to activate the auto-update within this major version for all your installations.

Thanks and best,

Esther

Fiona_G

Hi @agazpar,

We are sorry for the inconvenience caused.

To download TeamViewer 9, please scroll down to the bottom on the page and click Need an earlier version or directly from Download TeamViewer 8 and 9. 2020-08-12 12_58_43-Previous versions of TeamViewer _ 14 - 13 - 12 - 11 - 10.png I hope this information would be helpful.

Kind regards,

Fiona

agazpar

Where i can download the update for the version 9.0.258860, because in the link https://www.teamviewer.com/en/download/previous-versions/ does not show the verion 9.

techmavcr

@Esther in can't install v15 because that will kill my license, my license is V9.

danny4

Do i also need to update the quicksupport executable?

mLipok

maybe somebody from TeamViewer Team have any idea if it is possible to automaticaly update TV Host in such case ?
Maybe by command line I can force TeamViewer to update ?

This will give me a change to add task to task scheduler.

Sascha2

If you have 300 different clients == 300 different hosts (on different/distant Windows Server) which are not connected together because their are property of different clients.
How do you want to automatically update TeamViewer host on them without loging to them ?
EDIT:
this question is purely technical ... no malice ... i just wanna know.

Edit:

ah ok, may i got it now - 300 different customers on 300 devices ok thats a challenge

mLipok

@Sascha2 wrote:
dont want to blame you but if you have to manage 300 hosts and you are doing updates manually you are doing something wrong. just my 2 cents.

If you have 300 different clients == 300 different hosts (on different/distant Windows Server) which are not connected together because their are property of different clients.
How do you want to automatically update TeamViewer host on them without loging to them ?

EDIT:
this question is purely technical ... no malice ... i just wanna know.

Esther

@techmavcr You can update your current installation e.g. via Help --> Check for new version or you can download and install the new version from our download page.

@No-2 It impacts modules using the installer. That means the TeamViewer Host and the full version.

@Kokek If you do not have the auto-update activated and you are manually updating the software, TeamViewer will offer you:

the latest version of your current main version (e.g. TeamViewer 12) or
and update to the latest TeamViewer version available

As an example:

2020-08-11 09_36_15-v12_2.png

(Please know you will need to make two updates if you want to switch to TeamViewer in version 15.8.3 via 15.2.2756.)

In case you have the auto-update activated and the module updated itself already on the latest release, it will only offer you the update to the latest version available (TeamViewer in version 15).

One more comment: Please check under Extras --> Options --> Adanced --> under General advanced settings --> Install new versions automatically.what setting is chosen.

You might want to have All updates within this major version instead of All updates.

2020-08-11 09_35_53-v12.png

You can also deploy TeamViewer via the MSI package to your team members (Corporate license is required).

I hope this info helps you.

Best, Esther

Sascha2

@Kokek wrote:
And when you press update on a versio 12 host it installs a version 15 and kills your licence. Just another little thing that annoys costumers. And now we(it admins) need to update over 300 hosts manually because you cant make your software look for updates just for the version 12.
Terrible and annoying

dont want to blame you but if you have to manage 300 hosts and you are doing updates manually you are doing something wrong. just my 2 cents..

and yes updating TV manually over built in update feature is not the proper way in your case. why dont you take the latest version 12 and install it?

Kokek

And when you press update on a versio 12 host it installs a version 15 and kills your licence. Just another little thing that annoys costumers. And now we(it admins) need to update over 300 hosts manually because you cant make your software look for updates just for the version 12.

Terrible and annoying

No-2

Does the vulnerability mentioned in CVE 2020-13699 affect QuickSupport, or does it apply only for the full version?

techmavcr

Do I need to uninstall? reinstall or do anything?

Esther

Hi @techmavcr

Thanks for your question.

We released an update to version 9 on July 28th, 2020. Please find the Change Log and the new version number here: [Windows] v9.0.258860 - Change Log

I will go ahead and move your post underneath the Statement on CVE 2020-13699 so that also other people can benefit from your question and my reply.

Thanks and best,

Esther

techmavcr

I feel very concerned about this article, and I want to know id my version has a vulnerability about the information this article is referring

https://thehackernews.com/2020/08/teamviewer-password-hacking.html

I have 3 licenses v9

sirmicho

Thank you @Esther

Esther

Hi and good morning @sirmicho

Yes, also as @Sascha2 confirmed, TeamViewer v12.0.258869 is the latest version of TeamViewer 12 and it includes the patch discussed in this thread for CVE 2020-13699.

See the Change Log here: [Windows] v12.0.258869 - Change Log

Thanks and best,

Esther

Sascha2

@sirmicho wrote:
Hi @Esther
Hello My Teamviewer 12 client says it's 12.0.258869 (so it's the latest version), but the date is July 13 2020. And now I'm confused. Am I working on the latest, patched vesrion, or not?

same here so i guess its correct

build date of the exe is earlier than release date

sirmicho

Hi @Esther

Hello My Teamviewer 12 client says it's 12.0.258869 (so it's the latest version), but the date is July 13 2020. And now I'm confused. Am I working on the latest, patched vesrion, or not?