Statement on recent brute-force research (CVE-2018-16550)

Esther
Esther Posts: 4,052 Former Community Manager
edited May 2023 in Announcements

Dear TeamViewer Community,

We are aware of the brute-force vulnerability that was brought to our attention by a security researcher. Data security has top priority at TeamViewer. Therefore, we are currently evaluating this case and will inform our users as soon as we have an appropriate solution.

For the time being, users can strengthen their passwords by going to Extras | Options | Security | password strength and select a password strength of 6 characters and above.

Please find out more about setting up strong passwords on our community : All about passwords. As with every software, our recommendation is to have strong passwords to protect your devices.

Best regards,

Esther

Former Community Manager

Tagged:

Best Answer

Answers

  • Dear,

    Is there an update regarding this potential vulnerability ? Is it confirmed ?

    regards,

    R. Dubois

  • Esther
    Esther Posts: 4,052 Former Community Manager

    Hi @rdubois

    We are working on a solution which will be provided soon.

    There is an option to avoid this by default and we recommend this in the meantime. 

    Please find out more about setting up strong passwords on our community : All about passwords. As with every software, our recommendation is to have strong passwords to protect your devices.

    Best, Esther

    Former Community Manager

  • Scotty
    Scotty Posts: 493 Staff member 🤠

    Hi everyone,

    A patch for the issue is currently being rolled out for TV13 and an expanding range of legacy versions. To trigger the update, open TeamViewer and click on “help > check for new version”.

    On a side note, and to adapt to nowadays technological reality, we changed the default password setting from 4 to 6 characters. Users will still be able to use a 4 digit password, however they will have to proactively reduce the password strength.

    All the best,
    -Scotty

    Senior Moderator
    Did my reply answer your question? Why not accept it as a solution to help others?
  • kjulson
    kjulson Posts: 2 ✭✭

    There seems to be a big disconnect on who you think your users are Scotty. "To trigger the update, open TeamViewer and click on “help > check for new version”." Do you really think that is the best upgrade option for businesses with hundreds of installations?

    Also, you are assuming that everyone is on version 13. Any previous version performing your suggested "upgrade method" will install version 13 which they are not licensed for. Now they cannot connect to their remote systems. Obviously not much thought was given on the content of this post.

    How about we do this a little more professionally and give links to download the various versions?

  • Esther
    Esther Posts: 4,052 Former Community Manager

    Hi all,

    we enabled the auto-update for the most recent TeamViewer update which includes the patch for the issue.

    The update will be installed automatically on all TeamViewer clients which have the auto-update enabled under Extras --> Options --> Advanced --> Show advanced options --> Check for new versions: Daily and Install new versions automatically --> Updates within this major version or All updates.

    Please be aware that the auto-update might take a few days until it reaches all clients.

    We are working on further extending the fix as much as we can.

    Thanks and all the best, Esther

    Former Community Manager

  • thop
    thop Posts: 1

    Hi Esther

     

    Our user network have installed version 7 TeamViewer clients using the custom module, ie. with our logo and provides a simplified interface.

    The simplified interface does not provide a 'check for updates' option.

    Does it have any auto-update facility built in?

    If not, is our only means to contact our user base and ask them to manually update their software?

    Many thanks for your help

    Kind regards

    Tom

  • Esther
    Esther Posts: 4,052 Former Community Manager

    Hi Tom 

    Thanks for your post.

    Yes, the QuickSupport module automatically checks for new update each time as it is being downloaded from our infrastructure. So when you are working with the SOS button or the module linked to the link provided via the Management Console "get.teamviewer.com/yourcustomizedname" it will always download the latest version of the main version you created the QuickSupport for.

    Thanks, Esther

    Former Community Manager

  • Thank you for adding the CVE here, it makes it easier to find.

    One further question arises: which versions of TV contain the fix for this issue? Scotty mentioned new, fixed versions being made available on October the 4th, however on the download page the available Windows version is 13.2.14327, which according to this post has been release in August. Therefore it cannot possibly contain the mentioned fix.

    A list of versions (ideally one for each platform, e.g. Windows, macOS, etc) would be helpful in order to be able to easily determine whether one is affected by this or not.

    Thanks for your support!

  • Esther
    Esther Posts: 4,052 Former Community Manager

    Hi Daniel,

    I am afraid the version number on the web page is not up to date. I am checking internally to get this fixed. But I can assure you: when downloading TeamViewer 13 from our site, you´re getting the fixed version and a higher version number.

    Regarding the fixed version numbers, I am checking with the team and will post further communication addressing the CVE soon.

    Thanks again,

    Esther

    Former Community Manager

  • Hi Esther, 

    any news regarding the exact fixed versions?

  • Esther
    Esther Posts: 4,052 Former Community Manager

    Hi @danielf

    While TeamViewer 14 is being released - of course including the fix - our main focus is on adapting the patch to older versions which requires an enormous amount of time.

    I will keep you updated on any news in this thread.

    Thanks and best,

    Esther

    Former Community Manager

  • rika
    rika Posts: 1
    hh
  • kermit5
    kermit5 Posts: 1

    Could you please confirm that the patch has also been rolled out in TV Versions 10 to 12 and not only in TV 13?

  • Esther
    Esther Posts: 4,052 Former Community Manager

    Hi @kermit5 

    Please see my post here.

    Thanks and best,

    Esther

    Former Community Manager