Distant, unauthenticated attackers could exploit the TeamViewer flaw to execute code and crack victims’ passwords.
Well known remote-support program TeamViewer has patched a higher-severity flaw in its desktop application for Windows. If exploited, the flaw could let remote, unauthenticated attackers to execute code on users’ programs or crack their TeamViewer passwords.
TeamViewer is a proprietary program application made use of by corporations for distant-command functionalities, desktop sharing, on the web meetings, web conferencing and file transfer among personal computers. The just lately discovered flaw stems from the Desktop for Windows application (CVE-2020-13699) not thoroughly quoting its customized uniform resource identifier (URI) handlers.
Applications want to identify the URIs for the sites they will tackle. But for the reason that handler applications can acquire details from untrusted sources, the URI values handed to the application might consist of malicious data that attempts to exploit the application. In this unique scenario, values are not “quoted” by the application – which means that TeamViewer will take care of them as instructions fairly than as enter values.
“An attacker could embed a malicious iframe in a web-site with a crafted URL (
To initiate the attack, the attacker could merely persuade a target with TeamViewer mounted on their process to click on crafted URL in a site – an chance for attackers to most likely launch watering-hole attacks.
The URI will then trick the app into producing a connection with attacker-controlled distant Server Concept Block (SMB) protocol. SMB is a network protocol used by Windows-primarily based personal computers that permits techniques in the same network to share documents.
Soon after a victim’s TeamViewer application initiates the distant SMB share, Windows will then make the relationship using NT LAN Supervisor (NTLM). NTLM uses an encrypted protocol to authenticate a user with no transferring the user’s password. NTLM credentials are based mostly on facts obtained in the course of the interactive logon process and consist of a area name, a person identify, and a a single-way hash of the user’s password.
In this assault circumstance, the NTLM ask for can then be relayed by attackers using a tool like Responder, according to Hofmann. The Responder toolkit captures SMB authentication classes on an interior network, and relays them to a goal machine. This in the long run grants attackers accessibility to the victim’s device, routinely. It also will allow them to capture password hashes, which they can then crack by way of brute-power.
The flaw ranks 8.8 out of 10. on the C-SS scale, building it high severity. TeamViewer versions prior to 15.8.3 are susceptible, and the bug influences several variations of TeamViewer, together with: teamviewer10, teamviewer8, teamviewerapi, tvchat1, tvcontrol1, tvfiletransfer1, tvjoinv8, tvpresent1, tvsendfile1, tvsqcustomer1, tvsqsupport1, tvvideocall1 and tvvpn1.
The issue is fastened in 8..258861, 9..258860, 10..258873, 11..258870, 12..258869, 13.2.36220, 14.2.56676, 14.7.48350, and 15.8.3, reported scientists.
In order to patch the flaw, “We carried out some improvements in URI dealing with relating to CVE 2020-13699,” in accordance to TeamViewer in a assertion despatched to Threatpost. “Thank you, Jeffrey Hofmann with Praetorian, for your professionalism and pursuing a accountable disclosure design. We are grateful that you arrived at out to us and that you could affirm the deal with of your results in the most up-to-date launch.”
In a security advisory regarding the flaw, the Heart for Internet Security (CIS) suggested that TeamViewer people implement the acceptable patches. They also encouraged that users stay clear of untrusted web-sites or inbound links presented by unfamiliar resources, and “educate users about threats posed by hypertext backlinks contained in e-mails or attachments, in particular from untrusted sources.”
TeamViewer’s distant manage functionalities make it a profitable attack target for terrible actors – in particular with more enterprises turning to collaboration applications like TeamViewer during the pandemic. In 2019, a specific, email-borne attack versus embassy officials and governing administration finance authorities globally weaponized TeamViewer to acquire whole control of the contaminated laptop or computer. And earlier in 2020, a newly learned variant of the Cerberus Android trojan was identified with vastly expanded and more advanced details-harvesting abilities, and the skill to run TeamViewer.
Complimentary Threatpost Webinar: Want to understand additional about Private Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Private Computing Roundtable” provides major cloud-security professionals from Microsoft and Fortanix together to take a look at how Confidential Computing is a match changer for securing dynamic cloud information and preventing IP exposure. Join us Wednesday Aug. 12 at 2pm ET for this FREE live webinar with Dr. David Thaler, program architect, Microsoft and Dr Richard Searle, security architect, Fortanix – both equally with the Confidential Computing Consortium. Register Now.