Highlighted
Posted by Community Manager
Community Manager

Statement on CVE 2020-13699

Hi all,

Today we are releasing some updates for TeamViewer 8 through 15, for the Windows platform.

We implemented some improvements in URI handling relating to CVE 2020-13699.

Please see our Change Logs here.

Nota Bene: Thank you, Jeffrey Hofmann with Praetorian, for your professionalism and following a responsible disclosure model. We are grateful that you reached out to us and that you could confirm the fix of your findings in the latest release.

All the best,

Esther

Community Manager

Did my reply answer your question? Accept it as a solution to help others.
Find this helpful? Say thanks by clicking on the Thumbs Up button. Find more information here: Knowledge Base | Community Blog | How to get started

51 Replies
Highlighted
Posted by
Digon

Re: Statement on CVE 2020-13699

and how important is it to deploy updated version that in our company? No infos about CVE 2020-13699 found....

Highlighted
Posted by Community Manager
Community Manager

Re: Statement on CVE 2020-13699

Hi @Sascha2 

Thanks for your post.

Meanwhile, the CVE-details have been released.

As always, we recommend updating to the latest version to benefit from the latest security patches.

Thanks and best,

Esther

Community Manager

Did my reply answer your question? Accept it as a solution to help others.
Find this helpful? Say thanks by clicking on the Thumbs Up button. Find more information here: Knowledge Base | Community Blog | How to get started

Highlighted
Posted by
Digon

Re: Statement on CVE 2020-13699

Hi @Esther ,

thx for information. Sounds like update is needed.

Regards,

Sascha

Highlighted
Posted by
Digon

CVE-2020-13699

Hi, my company has enterprise license for TV version 10. Since we are affected by the CVE-2020-13699, do we get to patch our TV?

Highlighted
Posted by Community Manager
Community Manager

Re: CVE-2020-13699

Hi @junxian_li 

We recommend to update all TeamViewer installation to the latest version. For TeamViewer 10 the patched version number is v10.0.258873.

You find the Change Log here: [Windows] v10.0.258873 - Change Log and the download here: TeamViewer Download for previous versions

Thanks and best,

Esther

Community Manager

Did my reply answer your question? Accept it as a solution to help others.
Find this helpful? Say thanks by clicking on the Thumbs Up button. Find more information here: Knowledge Base | Community Blog | How to get started

Highlighted
Posted by
Digon

Re: CVE-2020-13699

Hi Esther, 

Thanks, will update it.

Just wondering, why does another version (10.0.223995) appears when I click on Help -> Check for new version ?

updateupdate

Highlighted
Posted by
Henagon

Re: Statement on CVE 2020-13699

Hi Esther,

We are on version 11.x Do we need an update for TV_Hosts and TV-Quick-Support?
Will updated files be available for download in the TeamViewer Management Console?
Those files are last updated on the 13th of July.

Thank you.

Marc

Highlighted
Posted by Community Manager
Community Manager

Re: Statement on CVE 2020-13699

HI @ma7c 

All fresh downloads from within the Management Console should get the latest version automatically (=get.teamviewer.com/yourlink...).

The Management Console will offer you the update if you still have older versions in there via a banner that appears in the Design & Deploy tab.

That means, the next time, your customers are starting your customized modues, they should get the new version automatically.

If you deployed your Hosts via MSI, please make a new deployment with the updated Host as the MSI does not include an update feature.

Regular installed Hosts and full versions, having Automatic update enabled within the options, should already have received the update.

@junxian_li  I am checking internally with the team and get back to you soonest why the PopUp does not show the correct version number.

Thanks and best,

Esther

 

Community Manager

Did my reply answer your question? Accept it as a solution to help others.
Find this helpful? Say thanks by clicking on the Thumbs Up button. Find more information here: Knowledge Base | Community Blog | How to get started

Highlighted
Posted by
Henagon

Re: Statement on CVE 2020-13699

Hi Esther,

this public Host-Installer from https://download.teamviewer.com/download/version_11x/TeamViewer_Host_Setup.exe is still an old version from last month (13th July). Will there be an update for re-deployment?

Thank you
Marc

Highlighted
Posted by Community Manager
Community Manager

Re: Statement on CVE 2020-13699

HI @ma7c 

When downloading it, it gives me the correct version (Sorry for the screenshot in German): 

Install_Host.png

See: [Windows] v11.0.258870 - Change Log

Can you check again?

Thanks, Esther

Community Manager

Did my reply answer your question? Accept it as a solution to help others.
Find this helpful? Say thanks by clicking on the Thumbs Up button. Find more information here: Knowledge Base | Community Blog | How to get started

Highlighted
Posted by Community Manager
Community Manager

Re: CVE-2020-13699

Hi @junxian_li 

Thanks for your patience.

Would you mind to test the download again and see whether the PopUp now offers the correct version 10?

I am looking forward to your feedback.

Thanks and best, Esther

Community Manager

Did my reply answer your question? Accept it as a solution to help others.
Find this helpful? Say thanks by clicking on the Thumbs Up button. Find more information here: Knowledge Base | Community Blog | How to get started

Highlighted
Posted by
Henagon

Re: Statement on CVE 2020-13699

That's totally correct. I was on the msi TV-Host files, the .exe files are up-to-date.

Thank you, best regards
Marc

Highlighted
Posted by
Photon

Re: Statement on CVE 2020-13699

@Esther The CVE indicates the vulnerability applies to version 15.8.3 also. When I attempt to update through the TV client it indicates I don't have an update, 15.8.3 is the latest available and the date on that is July 20th. 

Highlighted
Posted by Community Manager
Community Manager

Re: Statement on CVE 2020-13699

Hi @ShaverLake 

Oh -where did you read that?

But no worries - TeamViewer 15.8.3 includes the patch for the CVE - see the versions Change Log

We also released new versions for TeamViewer 8, 9, 10,11, 12, 13, 14.2 and 14.7 to address the topic.

Best, Esther

Community Manager

Did my reply answer your question? Accept it as a solution to help others.
Find this helpful? Say thanks by clicking on the Thumbs Up button. Find more information here: Knowledge Base | Community Blog | How to get started

Highlighted
Posted by
Henagon

Re: Statement on CVE 2020-13699

@Esther 

Does TeamViewer 15.8.3 for Windows update require older versions of TeamViewer to also update due to fix in URI handling? We are receiving error when connecting from TeamViewer 15 to TeamViewer 11 Host which should be backwards compatible.

"The remote TeamViewer is running an old version which is out of date. Therefore you cannot connect to this Version anymore."

Highlighted
Posted by Community Manager
Community Manager

Re: Statement on CVE 2020-13699

Hi @MJW 

The message you got indicates that you have not been signed in with your licensed TeamViewer account when trying to start the connection as connections to older TeamViewer versions require a license.

After logging in to your Computers & Contacts list you should be able to connect again.

Still - we recommend updating all endpoints to the latest version (not necessarily to TeamViewer 15, but within their version). There is an update for TeamViewer 11 available. See its Change Log here: [Windows] v11.0.258870 - Change Log

I hope this info helps you.

Best,

Esther

Community Manager

Did my reply answer your question? Accept it as a solution to help others.
Find this helpful? Say thanks by clicking on the Thumbs Up button. Find more information here: Knowledge Base | Community Blog | How to get started

Highlighted
Posted by
Henagon

Re: Statement on CVE 2020-13699

@Esther  Thank you, Esther! I believe that is the issue.

Highlighted
Posted by TeamViewer Star
TeamViewer Star

Re: Statement on CVE 2020-13699

Could somebody of TeamViewer Team explain/elaborate about:

Does the problem concern the program on the side initiating the connection or also the program on the side hosting/sharing the remote desktop.

I need to know whether I should update it also on remote computer stations or only locally in my office on all my local workstation which will connect to our remote clients (my company mainly deals with IT Support for our clients/customers).

Regards,
mLipok , AutoIt MVP

Did my reply answer your question? Accept it as a solution to help others.
Find this helpful? Say thanks by clicking on the Thumbs Up button.

Highlighted
Posted by Community Manager
Community Manager

Re: Statement on CVE 2020-13699

Hi @mLipok 

We recommend updating your local devices as well as the remote devices to apply the patch.

Best,

Esther

Community Manager

Did my reply answer your question? Accept it as a solution to help others.
Find this helpful? Say thanks by clicking on the Thumbs Up button. Find more information here: Knowledge Base | Community Blog | How to get started

Highlighted
Posted by TeamViewer Star
TeamViewer Star

Re: Statement on CVE 2020-13699

Even on TeamViewer Host ?

Regards,
mLipok , AutoIt MVP

Did my reply answer your question? Accept it as a solution to help others.
Find this helpful? Say thanks by clicking on the Thumbs Up button.

Highlighted
Posted by Community Manager
Community Manager

Re: Statement on CVE 2020-13699

Hi again,

Thanks for the question: yes - all installations 👍 

Best, Esther

Community Manager

Did my reply answer your question? Accept it as a solution to help others.
Find this helpful? Say thanks by clicking on the Thumbs Up button. Find more information here: Knowledge Base | Community Blog | How to get started

Highlighted
Posted by TeamViewer Star
TeamViewer Star

Re: Statement on CVE 2020-13699

as this is very important things to do I want to refresh one question which was discussed in this following IDEAS/FeatureRequest:

https://community.teamviewer.com/t5/API-and-Scripting/How-to-get-list-of-outdated-host/m-p/91622#M11...

and ....
Ask how I can get the list of remote host where TV program is outdated ?

Is it possible with any TeamViewer tools/api ?

Regards,
mLipok , AutoIt MVP

Did my reply answer your question? Accept it as a solution to help others.
Find this helpful? Say thanks by clicking on the Thumbs Up button.

Highlighted
Posted by
Henagon

Re: Statement on CVE 2020-13699

Hi @Esther

Hello  My Teamviewer 12 client says it's 12.0.258869 (so it's the latest version), but the date is July 13 2020. And now I'm confused. Am I working on the latest, patched vesrion, or not?

 

Highlighted
Posted by
Digon

Re: Statement on CVE 2020-13699


@sirmicho wrote:

Hi @Esther

Hello  My Teamviewer 12 client says it's 12.0.258869 (so it's the latest version), but the date is July 13 2020. And now I'm confused. Am I working on the latest, patched vesrion, or not?

 


same here so i guess its correct

build date of the exe is earlier than release date

Highlighted
Posted by Community Manager
Community Manager

Re: Statement on CVE 2020-13699

Hi and good morning @sirmicho 

Yes, also as @Sascha2 confirmed, TeamViewer v12.0.258869 is the latest version of TeamViewer 12 and it includes the patch discussed in this thread for CVE 2020-13699.

See the Change Log here: [Windows] v12.0.258869 - Change Log

Thanks and best,

Esther

Community Manager

Did my reply answer your question? Accept it as a solution to help others.
Find this helpful? Say thanks by clicking on the Thumbs Up button. Find more information here: Knowledge Base | Community Blog | How to get started

Highlighted
Posted by
Henagon

Re: Statement on CVE 2020-13699

Thank you @Esther 

Highlighted
Posted by
Henagon

TeamViewer Flaw Could Let Hackers Steal System Password Remotely

I feel very concerned about this article, and I want to know id my version has a vulnerability about the information this article is referring 

https://thehackernews.com/2020/08/teamviewer-password-hacking.html

I have 3 licenses v9

Highlighted
Posted by Community Manager
Community Manager

Re: TeamViewer Flaw Could Let Hackers Steal System Password Remotely

Hi @techmavcr 

Thanks for your question.

We released an update to version 9 on July 28th, 2020. Please find the Change Log and the new version number here: [Windows] v9.0.258860 - Change Log

I will go ahead and move your post underneath the Statement on CVE 2020-13699 so that also other people can benefit from your question and my reply.

Thanks and best,

Esther

Community Manager

Did my reply answer your question? Accept it as a solution to help others.
Find this helpful? Say thanks by clicking on the Thumbs Up button. Find more information here: Knowledge Base | Community Blog | How to get started

Highlighted
Posted by
Henagon

Re: TeamViewer Flaw Could Let Hackers Steal System Password Remotely

Do I need to uninstall? reinstall or do anything?

Highlighted
Posted by
Electron

Re: Statement on CVE 2020-13699

Does the vulnerability mentioned in CVE 2020-13699 affect QuickSupport, or does it apply only for the full version?

Highlighted
Posted by
Electron

Re: TeamViewer Flaw Could Let Hackers Steal System Password Remotely

And when you press update on a versio  12 host it installs a version 15 and kills your licence. Just another little thing that annoys costumers. And now we(it admins) need to update over 300 hosts manually because you cant make your software look for updates just for the version 12.

Terrible and annoying

Highlighted
Posted by
Digon

Re: TeamViewer Flaw Could Let Hackers Steal System Password Remotely


@Kokek wrote:

And when you press update on a versio  12 host it installs a version 15 and kills your licence. Just another little thing that annoys costumers. And now we(it admins) need to update over 300 hosts manually because you cant make your software look for updates just for the version 12.

Terrible and annoying


dont want to blame you but if you have to manage 300 hosts and you are doing updates manually you are doing something wrong. just my 2 cents..

and yes updating TV manually over built in update feature is not the proper way in your case. why dont you take the latest version 12  and install it?

Highlighted
Posted by Community Manager
Community Manager

Re: TeamViewer Flaw Could Let Hackers Steal System Password Remotely

@techmavcr You can update your current installation e.g. via Help --> Check for new version or you can download and install the new version from our download page.

@No-2 It impacts modules using the installer. That means the TeamViewer Host and the full version.

@Kokek If you do not have the auto-update activated and you are manually updating the software, TeamViewer will offer you:

  • the latest version of your current main version (e.g. TeamViewer 12) or
  • and update to the latest TeamViewer version available 

As an example: 

2020-08-11 09_36_15-v12_2.png

(Please know you will need to make two updates if you want to switch to TeamViewer in version 15.8.3 via 15.2.2756.)

In case you have the auto-update activated and the module updated itself already on the latest release, it will only offer you the update to the latest version available (TeamViewer in version 15).

One more comment: Please check under Extras --> Options --> Adanced --> under General advanced settings --> Install new versions automatically.what setting is chosen.

You might want to have All updates within this major version instead of All updates

2020-08-11 09_35_53-v12.png

 

You can also deploy TeamViewer via the MSI package to your team members (Corporate license is required).

I hope this info helps you.

Best, Esther

Community Manager

Did my reply answer your question? Accept it as a solution to help others.
Find this helpful? Say thanks by clicking on the Thumbs Up button. Find more information here: Knowledge Base | Community Blog | How to get started

Highlighted
Posted by TeamViewer Star
TeamViewer Star

Re: TeamViewer Flaw Could Let Hackers Steal System Password Remotely


@Sascha2 wrote:

dont want to blame you but if you have to manage 300 hosts and you are doing updates manually you are doing something wrong. just my 2 cents.


If you have 300 different clients == 300 different hosts (on different/distant Windows Server) which are not connected together because their are property of different clients.
How do you want to automatically update TeamViewer host on them without loging to them ?

EDIT:
this question is purely technical ... no malice ... i just wanna know.

Regards,
mLipok , AutoIt MVP

Did my reply answer your question? Accept it as a solution to help others.
Find this helpful? Say thanks by clicking on the Thumbs Up button.

Highlighted
Posted by
Digon

Re: TeamViewer Flaw Could Let Hackers Steal System Password Remotely



If you have 300 different clients == 300 different hosts (on different/distant Windows Server) which are not connected together because their are property of different clients.
How do you want to automatically update TeamViewer host on them without loging to them ?

EDIT:
this question is purely technical ... no malice ... i just wanna know.

Edit:

ah ok, may i got it now - 300 different customers on 300 devices ok thats a challenge

Highlighted
Posted by TeamViewer Star
TeamViewer Star

Re: TeamViewer Flaw Could Let Hackers Steal System Password Remotely

maybe somebody from TeamViewer Team have any idea if it is possible to automaticaly update TV Host in such case ?
Maybe by command line I can force TeamViewer to update ?

This will give me a change to add task to task scheduler.

Regards,
mLipok , AutoIt MVP

Did my reply answer your question? Accept it as a solution to help others.
Find this helpful? Say thanks by clicking on the Thumbs Up button.

Highlighted
Posted by
Henagon

Re: TeamViewer Flaw Could Let Hackers Steal System Password Remotely

Do i also need to update the quicksupport executable?

Highlighted
Posted by
Henagon

Re: TeamViewer Flaw Could Let Hackers Steal System Password Remotely

@Esther in can't install v15 because that will kill my license, my license is V9.

Highlighted
Posted by
Electron

Re: TeamViewer Flaw Could Let Hackers Steal System Password Remotely

Where i can download the update for the version 9.0.258860, because in the link https://www.teamviewer.com/en/download/previous-versions/ does not show the verion 9.

Highlighted
Posted by Moderator Moderator
Moderator

Re: TeamViewer Flaw Could Let Hackers Steal System Password Remotely

Hi @agazpar,

We are sorry for the inconvenience caused.

To download TeamViewer 9, please scroll down to the bottom on the page and click Need an earlier version or directly from Download TeamViewer 8 and 9.2020-08-12 12_58_43-Previous versions of TeamViewer _ 14 - 13 - 12 - 11 - 10.pngI hope this information would be helpful.

Kind regards,

Fiona

 

Highlighted
Posted by Community Manager
Community Manager

Re: TeamViewer Flaw Could Let Hackers Steal System Password Remotely

Hi @mLipok @Sascha2 

First of all, as you already know, there is no build-in feature for this.

Also, TeamViewer does not officially support such a deployment. However, I talked to our engineers, and they mentioned a work-around. 

Please know, that 

  • we do not recommend doing this and 
  • we do not support this and 
  • in case of any issues, our support can and will not be able to assist you

If you still want to give it a try: you could set the registry values for the autoupdate

UpdateCheckInterval=3

UpdateChannel=2 

Please keep in mind that 

  • the MSI will not make any updates regardless of the registry value you entered
  • It may talk a while until the next update will be started
  • the TeamViewer service must be restarted for the changes to take effect in the registry.

One important thing I´d like to mention is that the best way is to activate the auto-update within this major version for all your installations.

Thanks and best,

Esther

Community Manager

Did my reply answer your question? Accept it as a solution to help others.
Find this helpful? Say thanks by clicking on the Thumbs Up button. Find more information here: Knowledge Base | Community Blog | How to get started

Highlighted
Posted by Community Manager
Community Manager

Re: TeamViewer Flaw Could Let Hackers Steal System Password Remotely

Hi @danny4  

Every QuickSupport downloaded now from our website, or the customized links will be on the latest version automatically. There is no need to update them proactively.

 

Hi @techmavcr 

We released an update for TeamViewer 9 as well.

Please find it here: Download TeamViewer 8 and 9 (This version will work with your license for TeamViewer 9).

I posted the Change log here: [Windows] v9.0.258860 - Change Log

 

Hi @agazpar 

As @Fiona_G already mentioned, you can find the downloads for TeamViewer 8 and 9 in our Community Download TeamViewer 8 and 9 

Thanks and best,

Esther

Community Manager

Did my reply answer your question? Accept it as a solution to help others.
Find this helpful? Say thanks by clicking on the Thumbs Up button. Find more information here: Knowledge Base | Community Blog | How to get started

Highlighted
Posted by TeamViewer Star
TeamViewer Star

Re: TeamViewer Flaw Could Let Hackers Steal System Password Remotely


@Esther wrote:

Hi @mLipok @Sascha2 

First of all, as you already know, there is no build-in feature for this.

Also, TeamViewer does not officially support such a deployment. However, I talked to our engineers, and they mentioned a work-around. 

.....


thank you for this information

Of course I suppose that there is no built in feature, and chcecked it twice.
But was wondering if this is possible.

I will try this workaround ASAP.

Regards,
mLipok , AutoIt MVP

Did my reply answer your question? Accept it as a solution to help others.
Find this helpful? Say thanks by clicking on the Thumbs Up button.

Highlighted
Posted by
Henagon

Re: TeamViewer Flaw Could Let Hackers Steal System Password Remotely

To my knowledge, the Host module has never had URI handling built into it because it never was able to launch a session. Please explain how that would be affected. 

Highlighted
Posted by Community Manager
Community Manager

Re: TeamViewer Flaw Could Let Hackers Steal System Password Remotely

Hi @davidvr 

Thanks for your question.

Yes - it is correct that Host modules cannot launch a session, however - the URI handler is part of the installer and as the Host module is installed it is in there.

Hope that helps,

Esther

Community Manager

Did my reply answer your question? Accept it as a solution to help others.
Find this helpful? Say thanks by clicking on the Thumbs Up button. Find more information here: Knowledge Base | Community Blog | How to get started

4 Replies
Highlighted
Posted by
Henagon

Re: TeamViewer Flaw Could Let Hackers Steal System Password Remotely

I'm afraid that is not a very clear answer.

The URI is how the exploit is executed, and if I understand your answer,  the code is there but not actually activated in the host module. That would lead me to believe that after the host module is installed, there is no way to craft a webpage that would utilize the host module to get the system account credentials which is the main concern around this CVE. 

Highlighted
Posted by Community Manager
Community Manager

Re: TeamViewer Flaw Could Let Hackers Steal System Password Remotely

Hi @davidvr 

The CVE describes one of the possible scenarios - you could call it the worst-case scenario but with the update, we also fixed other scenarios that could happen.

Best, Esther

Community Manager

Did my reply answer your question? Accept it as a solution to help others.
Find this helpful? Say thanks by clicking on the Thumbs Up button. Find more information here: Knowledge Base | Community Blog | How to get started

Highlighted
Posted by
Electron

Re: TeamViewer Flaw Could Let Hackers Steal System Password Remotely

Why would the MSI version not be configurable for auto-update?  That's the main benefit of using an MSI is you can deploy it to a lot of machines in an automated fashion.  I would think that being able to setup auto-updates for the MSI version would be strongly desired by many and is a sure miss here by the TeamViewer team.

Highlighted
Posted by
Digon

Re: TeamViewer Flaw Could Let Hackers Steal System Password Remotely


@A2theB wrote:

I would think that being able to setup auto-updates for the MSI version would be strongly desired by many and is a sure miss here by the TeamViewer team.


not for me, one of the first things i want to disable is the update notification. If you use MSI for installation you mostly use some software deployment and the the last thing you want is that some program is updating itself to a non-tested version with some special updater process (which also needs admin rights)