SB2020042207 - Hard-coded cryptographic key in TeamViewer
Published: April 22, 2020
Security Bulletin ID
SB2020042207
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Use of Hard-coded Cryptographic Key (CVE-ID: CVE-2019-18988)
The vulnerability allows a local user to decrypt stored credentials.
The vulnerability exists due to application is using the same AES key for all installations to encrypt stored proxy and options password. A local user with access to he system can use the hard-coded key to decrypt credentials.
Remediation
Install update from vendor's website.
References
- https://community.teamviewer.com/t5/Announcements/Specification-on-CVE-2019-18988/td-p/82264
- https://community.teamviewer.com/t5/Knowledge-Base/tkb-p/Knowledgebase?threadtype=label&labels=Security
- https://twitter.com/Blurbdust/status/1224212682594770946?s=20
- https://whynotsecurity.com/blog/teamviewer/
- https://community.teamviewer.com/t5/Change-Logs/Windows-v14-7-39531-Full-Change-Log/td-p/90813