TV-2024-1001

Incomplete protection of personal password settings

Bulletin ID
TV-2024-1001
Date Published
Feb 27, 2024
Last Update
Feb 27, 2024
Priority
Important
CVSS 3.0
7.3 (high)
Assigned CVE
CVE-2024-0819
Affected Products
TeamViewer Remote full client
TeamViewer Remote Host

1. Summary

A vulnerability has been found in TeamViewer client prior version 15.51.5 that could allow an unprivileged user on a multi-user system to set a personal password. The issue has been fixed with Version 15.51.5.

2. Vulnerability Details

CVE-ID

Description

In the Teamviewer client prior Version 15.51.5, access to the personal password setting doesn’t require administrative rights. A low privileged user on a multi-user system, with access to the client, can set a personal password. That potentially allows an unprivileged user to establish a remote connection to other currently logged-in users on the same system.

 

TeamViewer clients with activated setting “changes require administrative right on this computer” or additional security features active and properly configured are not affected, e.g.

 

  • Options
  • Password
  • Conditional Access
  • BYOC
  • Block & Allow List
  • Access control
  • TFA for connections
  • One-time-password

 

TeamViewer recommends using Easy Access for unattended access, combined with the Two-Factor-Authentication, this protection covers accessing the TeamViewer account and any machine you support via TeamViewer.

 

If you still consider to use a personal password please make sure to follow the guidelines and use a strong password.

CVSS3.0 Score

Base Score 7.3 (High)

CVSS3.1 Vector String

Problem type

3. Affected products & versions

Product Versions Info

Teamviewer Remote full client

< 15.51.5

Teamviewer Remote Host

< 15.51.5

4. Solutions and mitigations

Recommended: Update to the latest version (15.51.5 or higher)

or set “changes require administrative rights on this computer” in the advanced settings of the client

or set an “options password” in the advanced settings of the client

or consider one the above-mentioned security features.

5. Additional Resources

https://community.teamviewer.com/English/kb/articles/4619-security-statement

https://community.teamviewer.com/English/kb/articles/108681-best-practices-for-secure-unattended-access

https://community.teamviewer.com/English/kb/articles/109715-security

6. Acknowledgments

We thank Aaron Schlitt, Lukas Radermacher and Nils Hanff very much for their contribution and responsible disclosure.

Do you want to report a security issue?

TeamViewer’s security team will investigate every submission in our Vulnerability Disclosure Program.