TV-2022-1001

TeamViewer Linux – Deletion command not properly executed after process crash

1. Summary

A bug has been found in TeamViewer for Linux before 15.28, that could result in an inadvertent re-use of a previously used connection password after a process crash. The bug has been fixed with version 15.28. We recommend updating your Linux client installations at the earliest convenience.

2. Vulnerability Details

CVE-ID CVE-2022-23242
————————– ——————————————————————————————————————
Description TeamViewer Linux versions before 15.28 did not properly execute a deletion command for the connection password in case of a process crash. Knowledge of the crash event and the TeamViewer ID as well as either possession of the pre-crash connection password or local authenticated access to the machine would have allowed to establish a remote connection by reusing the not properly deleted connection password. We do not have any indication of active exploitation.
————————– ——————————————————————————————————————
CVSS3.0 Score Base Score 6.3 (medium)
————————– ——————————————————————————————————————
CVSS3.0 Vector String CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
————————– ——————————————————————————————————————
Problem type N/A

 

3. Affected products & versions

Product Versions Info
————————– ————————————– ————————————————————————–
TeamViewer for Linux V. 15.27 and lower UPDATE AVAILABLE
————————– ————————————– ————————————————————————–

4. Solutions & mitigations

Update to the latest version (15.28 or higher)

5. Additional Resources

For users leveraging passwordless authentication (“Easy Access”) and/or MFA for connections the issue is not exploitable.

https://community.teamviewer.com/English/kb/articles/108791-two-factor-authentication-for-connections

https://community.teamviewer.com/English/kb/articles/108681-best-practices-for-secure-unattended-access

Download resources:

https://www.teamviewer.com/en/download/linux/

6. Acknowledgments

We thank Weaponshotgun & WildZarek very much for their research and responsible disclosure.

Bulletin ID
TV-2022-1001
Veröffentlicht am
2022-03-22
Letztes Update
2022-03-22
Schweregrad
Mittel
CVSS Score
Zugewiesene CVE
Betroffene Produkte
  • TeamViewer for Linux

Do you want to report a security issue?

TeamViewer’s security team will investigate every submission in our Vulnerability Disclosure Program.

Vermissen Sie etwas? Exklusive Angebote, aktuelle Neuheiten: Unser Newsletter!