Announcements

Would you like to be part of the TeamViewer task force to make our product even better? Start now with participating in our survey and help our product team to build an even better TeamViewer. Click here for more information.

Posted by Community Manager
Community Manager

Statement on recent brute-force research (CVE-2018-16550)

Dear TeamViewer Community,

We are aware of the brute-force vulnerability that was brought to our attention by a security researcher. Data security has top priority at TeamViewer. Therefore, we are currently evaluating this case and will inform our users as soon as we have an appropriate solution.

For the time being, users can strengthen their passwords by going to Extras | Options | Security | password strength and select a password strength of 6 characters and above.

Please find out more about setting up strong passwords on our community : All about passwords. As with every software, our recommendation is to have strong passwords to protect your devices.

Best regards,

Esther

Community Manager


Did my reply answer your question? Accept it as a solution to help others.
Find this helpful? Say thanks by clicking on the Thumbs Up button.


 


Additional information can be found here: Knowledge Base | Community Blog | How to get started 

Japanese Community (日本語コミュニティ) |  Chinese Community (中文社区)

1 Accepted Solution

Accepted Solutions
Posted by Senior Moderator Senior Moderator
Senior Moderator
Solution

Re: Statement on recent brute-force research

Hi everyone,

A patch for the issue is currently being rolled out for TV13 and an expanding range of legacy versions. To trigger the update, open TeamViewer and click on “help > check for new version”.

On a side note, and to adapt to nowadays technological reality, we changed the default password setting from 4 to 6 characters. Users will still be able to use a 4 digit password, however they will have to proactively reduce the password strength.

All the best,
-Scotty

Senior Moderator
Did my reply answer your question? Why not accept it as a solution to help others?
11 Replies
Posted by rdubois
Photon

Re: Statement on recent brute-force research

Dear,

Is there an update regarding this potential vulnerability ? Is it confirmed ?

regards,

R. Dubois

Posted by Community Manager
Community Manager

Re: Statement on recent brute-force research

Hi @rdubois

We are working on a solution which will be provided soon.

There is an option to avoid this by default and we recommend this in the meantime. 

Please find out more about setting up strong passwords on our community : All about passwords. As with every software, our recommendation is to have strong passwords to protect your devices.

Best, Esther

Community Manager


Did my reply answer your question? Accept it as a solution to help others.
Find this helpful? Say thanks by clicking on the Thumbs Up button.


 


Additional information can be found here: Knowledge Base | Community Blog | How to get started 

Japanese Community (日本語コミュニティ) |  Chinese Community (中文社区)

Posted by Senior Moderator Senior Moderator
Senior Moderator
Solution

Re: Statement on recent brute-force research

Hi everyone,

A patch for the issue is currently being rolled out for TV13 and an expanding range of legacy versions. To trigger the update, open TeamViewer and click on “help > check for new version”.

On a side note, and to adapt to nowadays technological reality, we changed the default password setting from 4 to 6 characters. Users will still be able to use a 4 digit password, however they will have to proactively reduce the password strength.

All the best,
-Scotty

Senior Moderator
Did my reply answer your question? Why not accept it as a solution to help others?
Posted by kjulson
Henagon

Re: Statement on recent brute-force research

There seems to be a big disconnect on who you think your users are Scotty. "To trigger the update, open TeamViewer and click on “help > check for new version”." Do you really think that is the best upgrade option for businesses with hundreds of installations?

Also, you are assuming that everyone is on version 13. Any previous version performing your suggested "upgrade method" will install version 13 which they are not licensed for. Now they cannot connect to their remote systems. Obviously not much thought was given on the content of this post.

How about we do this a little more professionally and give links to download the various versions?

Posted by Community Manager
Community Manager

Re: Statement on recent brute-force research

Hi all,

we enabled the auto-update for the most recent TeamViewer update which includes the patch for the issue.

The update will be installed automatically on all TeamViewer clients which have the auto-update enabled under Extras --> Options --> Advanced --> Show advanced options --> Check for new versions: Daily and Install new versions automatically --> Updates within this major version or All updates.

Please be aware that the auto-update might take a few days until it reaches all clients.

We are working on further extending the fix as much as we can.

Thanks and all the best, Esther

Community Manager


Did my reply answer your question? Accept it as a solution to help others.
Find this helpful? Say thanks by clicking on the Thumbs Up button.


 


Additional information can be found here: Knowledge Base | Community Blog | How to get started 

Japanese Community (日本語コミュニティ) |  Chinese Community (中文社区)

Posted by thop
Electron

Re: Statement on recent brute-force research

Hi Esther

 

Our user network have installed version 7 TeamViewer clients using the custom module, ie. with our logo and provides a simplified interface.

The simplified interface does not provide a 'check for updates' option.

Does it have any auto-update facility built in?

If not, is our only means to contact our user base and ask them to manually update their software?

Many thanks for your help

Kind regards

Tom

Posted by Community Manager
Community Manager

Re: Statement on recent brute-force research

Hi Tom 

Thanks for your post.

Yes, the QuickSupport module automatically checks for new update each time as it is being downloaded from our infrastructure. So when you are working with the SOS button or the module linked to the link provided via the Management Console "get.teamviewer.com/yourcustomizedname" it will always download the latest version of the main version you created the QuickSupport for.

Thanks, Esther

Community Manager


Did my reply answer your question? Accept it as a solution to help others.
Find this helpful? Say thanks by clicking on the Thumbs Up button.


 


Additional information can be found here: Knowledge Base | Community Blog | How to get started 

Japanese Community (日本語コミュニティ) |  Chinese Community (中文社区)

Posted by danielf
Henagon

Re: Statement on recent brute-force research (CVE-2018-16550)

Thank you for adding the CVE here, it makes it easier to find.

One further question arises: which versions of TV contain the fix for this issue? Scotty mentioned new, fixed versions being made available on October the 4th, however on the download page the available Windows version is 13.2.14327, which according to this post has been release in August. Therefore it cannot possibly contain the mentioned fix.

A list of versions (ideally one for each platform, e.g. Windows, macOS, etc) would be helpful in order to be able to easily determine whether one is affected by this or not.

Thanks for your support!

Posted by Community Manager
Community Manager

Re: Statement on recent brute-force research (CVE-2018-16550)

Hi Daniel,

I am afraid the version number on the web page is not up to date. I am checking internally to get this fixed. But I can assure you: when downloading TeamViewer 13 from our site, you´re getting the fixed version and a higher version number.

Regarding the fixed version numbers, I am checking with the team and will post further communication addressing the CVE soon.

Thanks again,

Esther

Community Manager


Did my reply answer your question? Accept it as a solution to help others.
Find this helpful? Say thanks by clicking on the Thumbs Up button.


 


Additional information can be found here: Knowledge Base | Community Blog | How to get started 

Japanese Community (日本語コミュニティ) |  Chinese Community (中文社区)

Posted by danielf
Henagon

Re: Statement on recent brute-force research (CVE-2018-16550)

Hi Esther, 

any news regarding the exact fixed versions?

Highlighted
Posted by Community Manager
Community Manager

Re: Statement on recent brute-force research (CVE-2018-16550)

Hi @danielf

While TeamViewer 14 is being released - of course including the fix - our main focus is on adapting the patch to older versions which requires an enormous amount of time.

I will keep you updated on any news in this thread.

Thanks and best,

Esther

Community Manager


Did my reply answer your question? Accept it as a solution to help others.
Find this helpful? Say thanks by clicking on the Thumbs Up button.


 


Additional information can be found here: Knowledge Base | Community Blog | How to get started 

Japanese Community (日本語コミュニティ) |  Chinese Community (中文社区)