Posted by Community Manager
Community Manager

Reaction to CVE-2018-143333

Hi all,

Data security has top priority for TeamViewer.

We are reviewing the disclosure associated with CVE-2018-143333 and are evaluating the feature to determine if actions are needed.

The scenario described refers to a usability feature that could only be subject to misuse if attackers had previously gained full control over the PC on which the password is cached. At the moment, we do not consider the issue to be critical. 

The underlying feature is available to all users and can be deactivated by unchecking the checkbox Temporarily save connection passwords via the path Extras -> Options -> Advanced -> Advanced settings for connections to other computers.

All the best,

Esther

4 Replies
Posted by Community Manager
Community Manager

UPDATE: Reaction to CVE-2018-143333

Hi all,

I would like to post an update to CVE-2018-143333: 

After thoroughly reviewing the disclosure associated with CVE-2018-143333, we have decided to take a quick measure to improve this feature.

The technical improvement consists of an automated clearance of the cached password from memory after 5 minutes.

The changes to the feature are currently in the customer testing phase and will be available by next week.

Apart from the improvement, users still have the option to disable the feature entirely following the instructions published above- by unchecking the checkbox Temporarily save connection passwords via the path Extras -> Options -> Advanced -> Advanced settings for connections to other computers.

All the best,

Esther

Highlighted
Posted by kkaz
Henagon

Re: UPDATE: Reaction to CVE-2018-143333

we use QS version with proxy, integration with AD. are we also vulnerable to this leak?

Posted by Jana_S
Photon

Re: UPDATE: Reaction to CVE-2018-143333

Hi Esther,

Does the latest update for TeamViewer 12 (12.1.29852) address this vulnerability? 

Thanks,
- Jana

Posted by Sassano
Photon

Re: UPDATE: Reaction to CVE-2018-143333

I hate his feature.5 minutes are not useable, it is worthless.

I read it in PCWelt, that security maybe compromised.

You can increase the security up to level a user cannot really work with the PC.

The most customer will close Teamviewer after any sessions, If they restart it, they will get a new password. I use the saved Password within 2-3 hours and I loved this feature.

I close the session after a customer Question is answered. Most customer will ask additional Questions and I will do a reconnect. Now I must interrupt the session and ask again to give me the password.

This makes my work much harder, but security will not increase.

What must I do now?

Save the Password in a textfile to use it again? (Makes it more secure-Is that what you want)

Set a default password to the teamviewer Quicksupport modul? (Not really secure)

Disabling the ability to save a password will not increase security. Support People use the fastest way to work and manage support Questions.