TV-2024-1001

Teamviewer Security Advisory

TV-2024-1001

Incomplete protection of personal password settings

1. Summary

A vulnerability has been found in TeamViewer Client prior version 15.51.5 that could allow an unprivileged user on a multi-user system to set a personal password. The issue has been fixed with Version 15.51.5.

 

2. Vulnerability Details

CVE-IDCVE-2024-0819
————————–——————————————————————————————————————
DescriptionIn the Teamviewer Client prior Version 15.51.5, access to the personal password setting doesn’t require administrative rights. A low privileged user on a multi-user system, with access to the client, can set a personal password. That potentially allows an unprivileged user to establish a remote connection to other currently logged-in users on the same system.

TeamViewer clients with activated setting “changes require administrative right on this computer” or additional security features active and properly configured are not affected, e.g.

  •   Options Password
  •   Conditional Access
  •   BYOC
  •   Block & Allow List
  •   Access control
  •   TFA for connections
  •   One-time-password

TeamViewer recommends using Easy Access for unattended access, combined with the Two-Factor-Authentication, this protection covers accessing the TeamViewer account and any machine you support via TeamViewer.

If you still consider to use a personal password please make sure to follow the guidelines and use a strong password.

————————–——————————————————————————————————————
CVSS3.0 ScoreBase Score 7.3 (High)
————————–——————————————————————————————————————
CVSS3.1 Vector StringCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
————————–——————————————————————————————————————
Problem typeCWE-269: Improper Privilege Management
————————–——————————————————————————————————————

 

3. Affected products & versions

ProductVersionsInfo
————————–————————————–————————————————————————–
Teamviewer Remote Full Client< 15.51.5Update available
————————–————————————–————————————————————————–
Teamviewer Remote Host< 15.51.5Update available
————————–————————————–————————————————————————–

4. Solutions & mitigations

Recommended: Update to the latest version (15.51.5 or higher)

or set “changes require administrative rights on this computer” in the advanced settings of the client

or set an “options password” in the advanced settings of the client

or consider one the above-mentioned security features.

 

5. Additional Resources

https://community.teamviewer.com/English/kb/articles/4619-security-statement

https://community.teamviewer.com/English/kb/articles/108681-best-practices-for-secure-unattended-access

https://community.teamviewer.com/English/kb/articles/109715-security

 

6. Acknowledgments

We thank Aaron Schlitt, Lukas Radermacher and Nils Hanff very much for their contribution and responsible disclosure.

Bulletin ID

TV-2024-1001

Issue Date

2024-02-27

Last Update

2024-02-27

Priority

Important

CVSS Score

Assigned CVE

Affected Products

  • TeamViewer Remote Full Client

  • TeamViewer Remote Host

READ MORE