Statement on CVE 2020-13699

Esther
Esther Posts: 4,052 Former Community Manager
edited May 2023 in Announcements

Hi all,

Today we are releasing some updates for TeamViewer 8 through 15, for the Windows platform.

We implemented some improvements in URI handling relating to CVE 2020-13699.

Please see our Change Logs here.

Nota Bene: Thank you, Jeffrey Hofmann with Praetorian, for your professionalism and following a responsible disclosure model. We are grateful that you reached out to us and that you could confirm the fix of your findings in the latest release.

All the best,

Esther

Former Community Manager

«1

Comments

  • Sascha2
    Sascha2 Posts: 8 ✭✭

    and how important is it to deploy updated version that in our company? No infos about CVE 2020-13699 found....

  • Esther
    Esther Posts: 4,052 Former Community Manager

    Hi @Sascha2 

    Thanks for your post.

    Meanwhile, the CVE-details have been released.

    As always, we recommend updating to the latest version to benefit from the latest security patches.

    Thanks and best,

    Esther

    Former Community Manager

  • Sascha2
    Sascha2 Posts: 8 ✭✭

    Hi @Esther ,

    thx for information. Sounds like update is needed.

    Regards,

    Sascha

  • Hi, my company has enterprise license for TV version 10. Since we are affected by the CVE-2020-13699, do we get to patch our TV?

  • Esther
    Esther Posts: 4,052 Former Community Manager

    Hi @junxian_li 

    We recommend to update all TeamViewer installation to the latest version. For TeamViewer 10 the patched version number is v10.0.258873.

    You find the Change Log here: [Windows] v10.0.258873 - Change Log and the download here: TeamViewer Download for previous versions

    Thanks and best,

    Esther

    Former Community Manager

  • Hi Esther, 

    Thanks, will update it.

    Just wondering, why does another version (10.0.223995) appears when I click on Help -> Check for new version ?

    updateupdate

  • ma7c
    ma7c Posts: 3

    Hi Esther,

    We are on version 11.x Do we need an update for TV_Hosts and TV-Quick-Support?
    Will updated files be available for download in the TeamViewer Management Console?
    Those files are last updated on the 13th of July.

    Thank you.

    Marc

  • Esther
    Esther Posts: 4,052 Former Community Manager

    HI @ma7c 

    All fresh downloads from within the Management Console should get the latest version automatically (=get.teamviewer.com/yourlink...).

    The Management Console will offer you the update if you still have older versions in there via a banner that appears in the Design & Deploy tab.

    That means, the next time, your customers are starting your customized modues, they should get the new version automatically.

    If you deployed your Hosts via MSI, please make a new deployment with the updated Host as the MSI does not include an update feature.

    Regular installed Hosts and full versions, having Automatic update enabled within the options, should already have received the update.

    @junxian_li  I am checking internally with the team and get back to you soonest why the PopUp does not show the correct version number.

    Thanks and best,

    Esther

     

    Former Community Manager

  • ma7c
    ma7c Posts: 3

    Hi Esther,

    this public Host-Installer from https://download.teamviewer.com/download/version_11x/TeamViewer_Host_Setup.exe is still an old version from last month (13th July). Will there be an update for re-deployment?

    Thank you
    Marc

  • Esther
    Esther Posts: 4,052 Former Community Manager

    HI @ma7c 

    When downloading it, it gives me the correct version (Sorry for the screenshot in German): 

    Install_Host.png

    See: [Windows] v11.0.258870 - Change Log

    Can you check again?

    Thanks, Esther

    Former Community Manager

  • Esther
    Esther Posts: 4,052 Former Community Manager

    Hi @junxian_li 

    Thanks for your patience.

    Would you mind to test the download again and see whether the PopUp now offers the correct version 10?

    I am looking forward to your feedback.

    Thanks and best, Esther

    Former Community Manager

  • ma7c
    ma7c Posts: 3

    That's totally correct. I was on the msi TV-Host files, the .exe files are up-to-date.

    Thank you, best regards
    Marc

  • @Esther The CVE indicates the vulnerability applies to version 15.8.3 also. When I attempt to update through the TV client it indicates I don't have an update, 15.8.3 is the latest available and the date on that is July 20th. 

  • Esther
    Esther Posts: 4,052 Former Community Manager

    Hi @ShaverLake 

    Oh -where did you read that?

    But no worries - TeamViewer 15.8.3 includes the patch for the CVE - see the versions Change Log

    We also released new versions for TeamViewer 8, 9, 10,11, 12, 13, 14.2 and 14.7 to address the topic.

    Best, Esther

    Former Community Manager

  • MJW
    MJW Posts: 2 ✭✭

    @Esther 

    Does TeamViewer 15.8.3 for Windows update require older versions of TeamViewer to also update due to fix in URI handling? We are receiving error when connecting from TeamViewer 15 to TeamViewer 11 Host which should be backwards compatible.

    "The remote TeamViewer is running an old version which is out of date. Therefore you cannot connect to this Version anymore."

  • Esther
    Esther Posts: 4,052 Former Community Manager

    Hi @MJW 

    The message you got indicates that you have not been signed in with your licensed TeamViewer account when trying to start the connection as connections to older TeamViewer versions require a license.

    After logging in to your Computers & Contacts list you should be able to connect again.

    Still - we recommend updating all endpoints to the latest version (not necessarily to TeamViewer 15, but within their version). There is an update for TeamViewer 11 available. See its Change Log here: [Windows] v11.0.258870 - Change Log

    I hope this info helps you.

    Best,

    Esther

    Former Community Manager

  • MJW
    MJW Posts: 2 ✭✭

    @Esther  Thank you, Esther! I believe that is the issue.

  • mLipok
    mLipok Posts: 781 ⭐Star⭐

    Could somebody of TeamViewer Team explain/elaborate about:

    Does the problem concern the program on the side initiating the connection or also the program on the side hosting/sharing the remote desktop.

    I need to know whether I should update it also on remote computer stations or only locally in my office on all my local workstation which will connect to our remote clients (my company mainly deals with IT Support for our clients/customers).

    Regards,
    mLipok , AutoIt MVP
  • Esther
    Esther Posts: 4,052 Former Community Manager

    Hi @mLipok 

    We recommend updating your local devices as well as the remote devices to apply the patch.

    Best,

    Esther

    Former Community Manager

  • mLipok
    mLipok Posts: 781 ⭐Star⭐

    Even on TeamViewer Host ?

    Regards,
    mLipok , AutoIt MVP
  • Esther
    Esther Posts: 4,052 Former Community Manager

    Hi again,

    Thanks for the question: yes - all installations ? 

    Best, Esther

    Former Community Manager

  • mLipok
    mLipok Posts: 781 ⭐Star⭐

    as this is very important things to do I want to refresh one question which was discussed in this following IDEAS/FeatureRequest:

    https://community.teamviewer.com/t5/API-and-Scripting/How-to-get-list-of-outdated-host/m-p/91622#M1169

    and ....
    Ask how I can get the list of remote host where TV program is outdated ?

    Is it possible with any TeamViewer tools/api ?

    Regards,
    mLipok , AutoIt MVP
  • Hi @Esther

    Hello  My Teamviewer 12 client says it's 12.0.258869 (so it's the latest version), but the date is July 13 2020. And now I'm confused. Am I working on the latest, patched vesrion, or not?

     

  • Sascha2
    Sascha2 Posts: 8 ✭✭

    @sirmicho wrote:

    Hi @Esther

    Hello  My Teamviewer 12 client says it's 12.0.258869 (so it's the latest version), but the date is July 13 2020. And now I'm confused. Am I working on the latest, patched vesrion, or not?

     


    same here so i guess its correct

    build date of the exe is earlier than release date

  • Esther
    Esther Posts: 4,052 Former Community Manager

    Hi and good morning @sirmicho 

    Yes, also as @Sascha2 confirmed, TeamViewer v12.0.258869 is the latest version of TeamViewer 12 and it includes the patch discussed in this thread for CVE 2020-13699.

    See the Change Log here: [Windows] v12.0.258869 - Change Log

    Thanks and best,

    Esther

    Former Community Manager

  • Thank you @Esther 

  • techmavcr
    techmavcr Posts: 3 ✭✭

    I feel very concerned about this article, and I want to know id my version has a vulnerability about the information this article is referring 

    https://thehackernews.com/2020/08/teamviewer-password-hacking.html

    I have 3 licenses v9

  • Esther
    Esther Posts: 4,052 Former Community Manager

    Hi @techmavcr 

    Thanks for your question.

    We released an update to version 9 on July 28th, 2020. Please find the Change Log and the new version number here: [Windows] v9.0.258860 - Change Log

    I will go ahead and move your post underneath the Statement on CVE 2020-13699 so that also other people can benefit from your question and my reply.

    Thanks and best,

    Esther

    Former Community Manager

  • techmavcr
    techmavcr Posts: 3 ✭✭

    Do I need to uninstall? reinstall or do anything?

  • No-2
    No-2 Posts: 1

    Does the vulnerability mentioned in CVE 2020-13699 affect QuickSupport, or does it apply only for the full version?