1. Summary
Several mediumseverity vulnerabilities have been identified and fixed in the TeamViewer DEX Client (formerly 1E Client) – Content Distribution Service (NomadBranch.exe) affecting Windows versions prior to 26.1.
All vulnerabilities have been resolved in version 26.1. There is no indication of exploitation in the wild.
TeamViewer recommends that customers update to the latest available version. Installations where the Content Distribution Service is disabled are not affected by these issues. By default, the Content Distribution Service (NomadBranch.exe) is disabled.
The TeamViewer Remote/Tensor feature “DEX Essentials” is not affected.
2. Vulnerability Details
2.1 Transmission of Unencrypted Data in Content Distribution Service
|
CVE-ID |
|
|
Description |
A vulnerability in TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an attacker on the adjacent network to cause normally encrypted UDP traffic to be sent in cleartext. This can result in disclosure of sensitive information.
The vulnerability has been fixed with version 26.1. We recommend updating to the latest available version. |
|
CVSS3.1 Score |
6.5 (Medium) |
|
CVSS3.1 Vector String |
|
|
Problem type |
|
|
Affected Products |
1E Client - NomadBranch.exe |
|
Fixed versions |
1E Client 26.1 |
2.2 Denial-of-Service in Content Distribution Service
|
CVE-ID |
|
|
Description |
A vulnerability in TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an attacker on the adjacent network to cause the NomadBranch.exe process to terminate via crafted requests. This can result in a denial-of-service condition of the Content Distribution Service.
The vulnerability has been fixed with version 26.1. We recommend updating to the latest available version. |
|
CVSS3.1 Score |
6.5 (Medium) |
|
CVSS3.1 Vector String |
|
|
Problem type |
|
|
Affected Products |
1E Client - NomadBranch.exe |
|
Fixed versions |
1E Client 26.1 |
2.3 Log Injection in Content Distribution Service UDP Handler
|
CVE-ID |
|
|
Description |
A vulnerability in TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an attacker on the adjacent network to inject, tamper with, or forge log entries in \Nomad Branch.log via crafted data sent to the UDP network handler. This can impact log integrity and nonrepudiation.
The vulnerability has been fixed with version 26.1. We recommend updating to the latest available version. |
|
CVSS3.1 Score |
6.5 (Medium) |
|
CVSS3.1 Vector String |
|
|
Problem type |
|
|
Affected Products |
1E Client - NomadBranch.exe |
|
Fixed versions |
1E Client 26.1 |
2.4 Integer underflow in Content Distribution Service UDP handler
|
CVE-ID |
|
|
Description |
An integer underflow in the UDP command handler of the TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an adjacent network attacker to trigger a heap-based buffer overflow and cause a denial-of-service (service crash) via specially crafted UDP packets.
The vulnerability has been fixed with version 26.1. We recommend updating to the latest available version. |
|
CVSS3.1 Score |
6.5 (Medium) |
|
CVSS3.1 Vector String |
|
|
Problem type |
|
|
Affected Products |
1E Client - NomadBranch.exe |
|
Fixed versions |
1E Client 26.1 |
2.5 Out-of-bounds read vulnerability in Content Distribution Service
|
CVE-ID |
|
|
Description |
An out-of-bounds read vulnerability in the TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an attacker on the adjacent network to cause information disclosure or denial-of-service via a special crafted packet. The leaked memory could be used to bypass ASLR and facilitate further exploitation.
The vulnerability has been fixed with version 26.1. We recommend updating to the latest available version. |
|
CVSS3.1 Score |
5.4 (Medium) |
|
CVSS3.1 Vector String |
|
|
Problem type |
|
|
Affected Products |
1E Client - NomadBranch.exe |
|
Fixed versions |
1E Client 26.1 |
2.6 Out-of-bounds read vulnerability in Content Distribution Service
|
CVE-ID |
|
|
Description |
An out-of-bounds read vulnerability in the TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows a remote attacker to leak stack memory and cause a denial of service via a crafted request. The leaked stack memory could be used to bypass ASLR remotely and facilitate exploitation of other vulnerabilities on the affected system.
The vulnerability has been fixed with version 26.1. We recommend updating to the latest available version. |
|
CVSS3.1 Score |
6.5 (Medium) |
|
CVSS3.1 Vector String |
|
|
Problem type |
|
|
Affected Products |
1E Client - NomadBranch.exe |
|
Fixed versions |
1E Client 26.1 |
2.7 Log timestamp tampering vulnerability in Content Distribution Service
|
CVE-ID |
|
|
Description |
A missing validation of a user-controlled value in the TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an adjacent network attacker to tamper with log timestamps via crafted UDP Sync command. This could result in forged or nonsensical datetime prefixes and compromising log integrity and forensic correlation.
The vulnerability has been fixed with version 26.1. We recommend updating to the latest available version. |
|
CVSS3.1 Score |
6.5 (Medium) |
|
CVSS3.1 Vector String |
|
|
Problem type |
|
|
Affected Products |
1E Client - NomadBranch.exe |
|
Fixed versions |
1E Client 26.1 |
3. Solutions and mitigations
Update to the latest version (26.1 or the latest version available).
4. Acknowledgments
We would like to thank the Threat Hunt Team of Bank of America for the discovery and responsible disclosure.