CVE-2019-18988
TeamViewer Desktop Bypass Remote Login Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
3Exploited in Wild
YesDecision
Descriptions
TeamViewer Desktop through 14.7.1965 allows a bypass of remote-login access control because the same key is used for different customers' installations. It used a shared AES key for all installations since at least as far back as v7.0.43148, and used it for at least OptionsPasswordAES in the current version of the product. If an attacker were to know this key, they could decrypt protect information stored in the registry or configuration files of TeamViewer. With versions before v9.x , this allowed for attackers to decrypt the Unattended Access password to the system (which allows for remote login to the system as well as headless file browsing). The latest version still uses the same key for OptionPasswordAES but appears to have changed how the Unattended Access password is stored. While in most cases an attacker requires an existing session on a system, if the registry/configuration keys were stored off of the machine (such as in a file share or online), an attacker could then decrypt the required password to login to the system.
TeamViewer Desktop versiones hasta 14.7.1965, permite omitir el control de acceso del inicio de sesión remoto porque la misma clave es usada para las instalaciones de diferentes clientes. Usó una clave AES compartida para todas las instalaciones a partir, de al menos, hasta la versión v7.0.43148, y la usó para al menos OptionsPasswordAES en la versión actual del producto. Si un atacante fuese conocido esta clave, podría descifrar la información de protección almacenada en el registro o en los archivos de configuración de TeamViewer. Con versiones anteriores a v9.x, esto permitía a atacantes descifrar la contraseña de Unattended Access en el sistema (que permite el inicio de sesión remoto en el sistema, así como la exploración de archivos sin encabezado). La última versión aún utiliza la misma clave para OptionPasswordAES pero parece haber cambiado la manera en que se almacena la contraseña de Unattended Access. Mientras que en la mayoría de los casos un atacante requiere una sesión existente en un sistema, si las claves de registro/configuración fueron almacenadas fuera de la máquina (como en un recurso compartido de archivos o en línea), un atacante podría descifrar la contraseña requerida para iniciar sesión en el sistema .
TeamViewer Desktop allows for bypass of remote-login access control because the same AES key is used for different customers' installations. If an attacker were to know this key, they could decrypt protected information stored in registry or configuration files or decryption of the Unattended Access password to the system (which allows for remote login to the system).
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-11-15 CVE Reserved
- 2020-02-07 CVE Published
- 2020-07-01 First Exploit
- 2021-11-03 Exploited in Wild
- 2022-05-03 KEV Due Date
- 2023-12-12 EPSS Updated
- 2024-08-05 CVE Updated
CWE
- CWE-521: Weak Password Requirements
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| https://twitter.com/Blurbdust/status/1224212682594770946?s=20 | Third Party Advisory | |
| - |
| URL | Date | SRC |
|---|---|---|
| https://github.com/mr-r3b00t/CVE-2019-18988 | 2020-07-13 | |
| https://github.com/reversebrain/CVE-2019-18988 | 2020-07-01 | |
| https://whynotsecurity.com/blog/teamviewer | 2024-08-05 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Teamviewer Search vendor "Teamviewer" | Teamviewer Search vendor "Teamviewer" for product "Teamviewer" | <= 14.7.1965 Search vendor "Teamviewer" for product "Teamviewer" and version " <= 14.7.1965" | - |
Affected
| ||||||