Security Bulletins

TV-2023-1001

Incomplete protection of local device settings

Bulletin ID
TV-2023-1001
Issue Date
Jun 14, 2023
Last Update
Jun 14, 2023
Priority
Moderate
CVSS
6.6 (medium)
Assigned CVE
CVE-2023-0837
Affected Products
TeamViewer Remote for Windows
TeamViewer Remote for macOS

1. Summary

A vulnerability has been found in the TeamViewer Remote client between version 15.41 and 15.42.7 that allows an unprivileged user to make unwanted changes to the basic local device settings. This only affects users who configured options to be locked. The bug has been fixed with version 15.42.8. We recommend users relying on this feature to update the TeamViewer Remote client as soon as possible

2. Vulnerability Details

CVE-ID

CVE-2023-0837

Description

In TeamViewer Remote between version 15.41 and 15.42.7 the basic device settings can be accessed by users even if these have been locked by the administrator. An unprivileged user with access to the device can change the basic settings, which can result in unwanted changes to the configuration. This does not apply to advanced settings, which have always been properly protected if options were locked.

CVSS3.0 Score

Base Score 6.6 (medium)

CVSS3.0 Vector String

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H

Problem type

CWE-285: Improper Authorization

3. Affected products & versions

Product
Versions
Info

TeamViewer Remote client

15.41 – 15.42.7

Update available

4. Solutions & mitigations

Update to the latest version (15.42.8 or higher)

5. Additional Resources

Protect TeamViewer options:

https://community.teamviewer.com/English/kb/articles/109271-protect-teamviewer-options

Download resources:

https://www.teamviewer.com/en/download/

6. Acknowledgments

We thank Paul Curran (iFacility) very much for his contribution and responsible behavior.

Do you want to report a security issue?

TeamViewer’s security team will investigate every submission in our Vulnerability Disclosure Program.