Posted by TikiGiki
Henagon

Anyone working on latest TV Hack?

I just saw this 5 minutes ago: https://thehackernews.com/2017/12/teamviewer-hacking-tool.html

Is that 2 hacks this year already? What's the word Teamviewer?

33 Replies
Posted by Community Manager
Community Manager

Re: Anyone working on latest TV Hack?

Hi @TikiGiki

Thank you for your post.

TeamViewer was not hacked. The issue is about a vulnerability which has already been addressed.

If you want to read up on this matter, here is an external source: threadpost.com: TeamViewer rushes fix for permission bug

We will keep you updated in this thread,

Esther

Posted by TikiGiki
Henagon

Re: Anyone working on latest TV Hack?

Thanks

Posted by Scott4
Henagon

Re: Anyone working on latest TV Hack?

Is there going to be an update to the changelog to reflect the patched versions for this vulnerability?

Posted by brw111
Trigon

Re: Anyone working on latest TV Hack?

My concern is whether TV 12 has the patch fix. While I have the ability to upgrade to version 13 I'm holding off until the kinks get ironed out, which is why I'm monitoring this topic. So for those of us still using 12 how is this issue being addressed?

 

Posted by Community Manager
Community Manager

Re: Anyone working on latest TV Hack?

Hi @brw111

Yes, version 12 for Windows and mac has already been patched.

Thank you, Esther

Posted by brw111
Trigon

Re: Anyone working on latest TV Hack?

OK, thanks!

Posted by srf
Neutron

Re: Anyone working on latest TV Hack?

@Esther

Everything I've read stating the vulnerablility was fixed is sourced from other sites.  There seems to be nothing on TV's website about this vulnerablility, what builds are affect, or a change log.  It's almost like TV isn't officially acknowledging this.  I'm surprised there's nothing on the site about it; there really should be details available to the public from TeamViewer (not a 3rd party source).  Can you comment on this and provide official details?

 

thanks

Posted by Community Manager
Community Manager

Official statement on vulnerability

Hi all,

please see TeamViewers official statement below:

"Within hours after an injectable C++ DLL vulnerability was first brought to the attention of TeamViewer’s engineering team, the software maker provided a fix to address the issue.

The vulnerability was first described on GitHub and concerned TeamViewer’s set of permissions.

In two different scenarios, attackers could either gain control of the victim’s mouse or switch sides to gain control of the system.

However, the potential threat was limited as the exploit required a legitimate connection to be established first before it could have been applied.

Attackers could not randomly target any potential TeamViewer installation.

In addition, users always have the ability to terminate a TeamViewer session at any time.

TeamViewer strongly encourages users to update their installation to the latest software version."

Thank you,

Esther

Posted by Scott4
Henagon

Re: Official statement on vulnerability

@Esther

This is a nice statement, but, I would like to verify that my installations are on the approporate versions. Do you have build information available similar to what is listed here? https://www.teamviewer.com/en/download/changelog/

 

Thanks

Posted by brw111
Trigon

Re: Official statement on vulnerability

I agree, since based on the Offical Statement where it encourages to update to latest version I'm no longer so sure that version 12 is in fact free of this vulnerability. There are no more updates for version 12 and as I noted before I'm holding off on updating to 13 until much of this stuff gets worked out!

 

Posted by Community Manager
Community Manager

Re: Official statement on vulnerability

Hi all,

The version number of the latest versions are:

Windows:

TeamViewer 13: 13.0.5640
TeamViewer 12: 12.0.89970
TeamViewer 11: 11.0.89975

Mac:

TeamViewer 13: 13.0.5640
TeamViewer 12: 12.0.89970
TeamViewer 11: 11.0.89975

Linux:

TeamViewer 13: 13.0.5693 (Host: 13.0.5641)
TeamViewer 12: 12.0.90041 
TeamViewer 11: 11.0.90154

Thank you again,

Esther

Posted by mlarsen
Digon

Re: Official statement on vulnerability

Thank you for providing the latest version numbers. To clarify this means all previous versions are vulnerable? Also, does this affect QuickSupport at all or just the full TeamViewer? Again, thanks for responding.

Highlighted
Posted by TeamViewer Staff
TeamViewer Staff

Re: Official statement on vulnerability

Hello @mlarsen

Thank you for your question.

As of today, we were able to directly release the patch for the last three latest versions. 

As for the older versions of the software, we have to open those builds up and make sure the patch does not affect the older versions usability and/or if they contain the issue as well.

As we have more information on this we will let the community know via this post. 

If you have any further questions or concerns, please don't hesitate to contact us back.

 

Aaron Boshers
Support Engineer

If my reply answered your question, help out other users and click the Accept as a Solution button below.
You can also say thanks by clicking on the Thumbs Up button! Thanks for being an active member of our Community!
11 Replies
Posted by mlarsen
Digon

Re: Official statement on vulnerability

Thank you for the quick response.

Does this affect QuickSupport as well or just the full TeamViewer install?

Posted by TeamViewer Staff
TeamViewer Staff

Re: Official statement on vulnerability

Hello @mlarsen

Thank you for your question.

The Quick support module does support some features that used to be affected by the vulnerability, which is why we released an updated package for that as well.

Both the website and the management console should automatically provide users with the latest version if a new download is being performed.

If you have any further questions or concerns, please don't hesitate to contact us back. 

Aaron Boshers
Support Engineer

If my reply answered your question, help out other users and click the Accept as a Solution button below.
You can also say thanks by clicking on the Thumbs Up button! Thanks for being an active member of our Community!
Posted by venterrn
Electron

Re: Official statement on vulnerability

Can you also please confirm if this affects the Host Only clients of TV?

Since there is no meeting feature in the host only install?

Posted by TikiGiki
Henagon

Re: Anyone working on latest TV Hack?

The kinks in earlier versions WILL NEVER get ironed out is what they told me when I HAD to take 13. Still lots of issues overlooked

Posted by TikiGiki
Henagon

Re: Official statement on vulnerability

Why is it taking so long for all remote computers to be updated if the policies are set to update most recent everything and enforced? I'm manually enforcing every one I'm on and working with Jonathan on this since yesterday morning when I first broke the news to him.

Posted by TeamViewer Staff
TeamViewer Staff

Re: Official statement on vulnerability

@venterrn

Thank you for your message. 

The automatic upate cycle can take up to a few day, that is why we recommend you to check for new update in the help tab of your TeamViewer

Aaron Boshers
Support Engineer

If my reply answered your question, help out other users and click the Accept as a Solution button below.
You can also say thanks by clicking on the Thumbs Up button! Thanks for being an active member of our Community!
Posted by Digitus
Henagon

Re: Official statement on vulnerability

@Aaron_Boshers Thaks aron, just to clearify. Only the full version is affected and the malicous party needs to get a user to connect to them to inject the code? If thats the case this vulnerability is not very critical at all.

Posted by Community Manager
Community Manager

Re: Official statement on vulnerability

Hi @Digitus

The Quick support module does support some features that used to be affected by the vulnerability, which is why we released an updated package for that as well.

Both the website and the management console should automatically provide users with the latest version if a new download is being performed.

All the best, Esther

Posted by TikiGiki
Henagon

Re: Official statement on vulnerability SUPPORT IS A JOKE!

From many emails I've sent to Jonathan "Even though I have policies enforcing all remote computers to update to the latest version, as I am logging into them, I am noticing NONE are getting updated unless I do this manual. WHY NOT?"

His response after 4 sent emails and a phone call 2 hrs ago: "Hi Miles,

We have very high call volume today so not able to make any outbound call as of now. Sorry. 

But, when did you create and apply the policy?

Best regards, 

Jonathan 
CSAT Representative"

Posted by Rolld20
Electron

Re: Official statement on vulnerability SUPPORT IS A JOKE!

We have a pro license of version 12 and we do not want to change to version 13.

Are we vulnerable?  If so, how do we obtain the patch without upgrading to version 13?

Posted by mlarsen
Digon

Re: Official statement on vulnerability SUPPORT IS A JOKE!

You can get updated 11 and 12 clients here - https://www.teamviewer.com/en/download/previous-versions/

Posted by Rolld20
Electron

Re: Official statement on vulnerability SUPPORT IS A JOKE!

Those have the patch for the vulnerability?

Posted by mlarsen
Digon

Re: Official statement on vulnerability

Still waiting to hear verification if versions prior to 11 are affected. It's pretty odd not to see notifications and guidance about this on TeamViewer's homepage, and also unusual in my experience for a software company not to provide complete details and guidance for precisely which versions are affected.

Posted by Community Manager
Community Manager

Re: Official statement on vulnerability

Hi @mlarsen

We are still investigating older versions. I will update this thread as soon as I am getting more information.

We are providing notifications and guidance on the TeamViewer Community. Just follow this thread to get the latest news. Thank you for your understanding.

In addition, please have a look at the press statement on our website.

Thank you, Esther

Posted by blakmac
Henagon

Re: Official statement on vulnerability

So, if anyone is tired of waiting for an official answer...why not just set up two computers on the same subnet with an older version running on one of them, and try the exploit and see whether it works or not, then report your findings to everyone?

"But you might..." - Captain Smek
Posted by mlarsen
Digon

Re: Official statement on vulnerability

Well yeah, but I can't imagine why TeamViewer doesn't do just this. It does not seem like an unreasonable expectation.

Posted by blakmac
Henagon

Re: Official statement on vulnerability

It does seem reasonable. I would say it's likely that a step like that would go against some of their internal procedures (possibly), and also they could be looking directly at source code to see any problems (not a bad idea, but slower). 

Or the other possibility is that they're more worried about about 11+, and previous versions aren't a priority to them. I don't like that possibility as much, but it's a reality that this could be the case. 

"But you might..." - Captain Smek
Posted by Community Manager
Community Manager

Update on vulnerability

Hi there,

I would like to give you a heads-up on the process at TeamViewer in regard to this matter.

I apologize that it took a few days to post this update, but please rest assured we take this matter extremely serious and continue to review it.

Let me provide you with a Q & A about the matter. Please excuse that I am repeating some parts of what I posted earlier, but I think it is good to have a complete overview:

 

What is the permission hook exploit?

The permission hook exploit is a vulnerability that pertains to TeamViewer’s Windows, macOS and Linux versions and concerns TeamViewer’s set of permissions. In two different scenarios, attackers could either gain control of the victim’s mouse or switch sides to gain control of the system. However, a cybercriminal cannot randomly attack any TeamViewer installation as the exploit requires a running session.

 

What is the guidance TeamViewer can provide to address the permission hook exploit?

Remote support sessions should only be conducted with trustworthy parties. Even the permission hook exploit cannot be applied without a typical social engineering scheme.

Remember big organizations do not cold call you to inform you about a potential flaw of your device. If you receive a call like that, just hang up! If you are concerned about your machine, take the initiative and have a trustworthy party look at it.

For the use within organizations, it will be helpful to remind employees that remote sessions should only be held with trustworthy parties.

In addition, users should always update their software and only download TeamViewer through the official channels.

 

What is the impact of the permission hook exploit?

The impact of this exploit is limited. Cybercriminals cannot just randomly attack any given TeamViewer installation. The exploit can only be applied after a legitimate TeamViewer session has been established. So even if a TeamViewer version is susceptible to this potential threat, it only becomes an issue if users join in sessions with a rogue participant. Additionally, every TeamViewer user has the ability to end the session at any time to terminate the attack.

 

How did TeamViewer find out about the exploit?

The Proof of Concept (PoC) was first published by an external security researcher on GitHub. TeamViewer discovered the PoC in a monitoring routine that is continuously run to identify potential threats.

 

What is a typical use case for the permission hook exploit?

The exploit could be administered in a typical tech scam, and hinges on social engineering. Scammers very often have their victims connect to their – i.e. the scammer’s – computer first. From there they coax them into confirming a switch of sides so that the scammers can access the victim’s device.

With the permission hook exploit, scammers can switch sides without having the victim confirm that first. Still the victim can end the session to terminate the attack.  But as has been pointed out before, there is no feasible approach to exploit this vulnerability without a social engineering scheme.

 

How and when did TeamViewer respond to the discovery of the vulnerability?

TeamViewer responded immediately to contain the threat. After TeamViewer learned about the issue on Monday, December 4, 2017, hotfixes for Windows were provided on Tuesday, December 5, 2017. macOS updates were released on Wednesday, December 6, 2017. Updates for Linux appeared on Thursday, December 7, and Friday, December 8, 2017.

Updates are available for TeamViewer versions 11-13. The vulnerability also affects the QuickSupport and Host module. Patches have been provided accordingly.

 

How can the TeamViewer software update be received?

The reception of the available updates depends on the setting in the TeamViewer client. Users who have not enabled auto updates in the software will receive an in-product message that will ask them to update their client.

Users with auto updates enabled will receive the update automatically.

However, TeamViewer encourages all users to manually initiate the check for updates. Because even with the auto update enabled, delays may occur because of the frequency set for the update checks in the TeamViewer client.

 

Why did the TeamViewer change logs not immediately reflect the vulnerability?

This delay is due to organizational processes. We apologize for any inconvenience that may have caused.

TeamViewer will provide proper change logs that will reflect the vulnerability adequately.

The latest versions that include the hotfix – as of December 12, 2017 – are as follows:

Windows:

TeamViewer 13: 13.0.5640
TeamViewer 12: 12.0.89970
TeamViewer 11: 11.0.89975

Mac:

TeamViewer 13: 13.0.5640
TeamViewer 12: 12.0.89970
TeamViewer 11: 11.0.89975

Linux:

TeamViewer 13: 13.0.5693 (Host: 13.0.5641)
TeamViewer 12: 12.0.90041 
TeamViewer 11: 11.0.90154

 

Is there an official statement available on the TeamViewer website?

Yes, the statement about the issue can be read and downloaded at:

https://www.teamviewer.com/en/company/press/teamviewer-releases-hotfix-for-permission-hook-vulnerabi...

 

Thank you for your patience and your understanding. In case of any further questions please feel free to post them in this thread and we will work on an answer.

All the best, Esther

Posted by blakmac
Henagon

Re: Update on vulnerability

That still doesn't really address the pre-11 versions. 

"The impact of this exploit is limited. Cybercriminals cannot just randomly attack any given TeamViewer installation. The exploit can only be applied after a legitimate TeamViewer session has been established. "

So, had this been known in 2016, it could have been far worse. (I'm referring to this instance: https://blog.teamviewer.com/recent-cyber-attacks/). In this instance, they were randomly attacking any given TeamViewer installation using weak passwords, probably from a huge list from previously hacked sources...so if people didn't take steps to secure their accounts with 2fa, etc., there's serious potential for another attack using the password reuse thing, then firing the exploit to switch screens.

So we still need to address whether or not the older versions are affected. 

 

"But you might..." - Captain Smek
Posted by CEBU
Henagon

Re: Update on vulnerability

Hello! We use Team Viewer ver.10.0. Does it version have this vulnerability?