Published: 07/02/2020 Updated: 24/08/2020

CVSS v2 Base Score: 4.4 | Impact Score: 6.4 | Exploitability Score: 3.4

CVSS v3 Base Score: 7 | Impact Score: 5.9 | Exploitability Score: 1

VMScore: 394

Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P

TeamViewer Desktop up to and including 14.7.1965 allows a bypass of remote-login access control because the same key is used for different customers' installations. It used a shared AES key for all installations since at least as far back as v7.0.43148, and used it for at least OptionsPasswordAES in the current version of the product. If an attacker were to know this key, they could decrypt protect information stored in the registry or configuration files of TeamViewer. With versions before v9.x , this allowed for malicious users to decrypt the Unattended Access password to the system (which allows for remote login to the system as well as headless file browsing). The latest version still uses the same key for OptionPasswordAES but appears to have changed how the Unattended Access password is stored. While in most cases an attacker requires an existing session on a system, if the registry/configuration keys were stored off of the machine (such as in a file share or online), an attacker could then decrypt the required password to login to the system.

Vulnerable Product	Search on Vulmon	Subscribe to Product
teamviewer teamviewer

Enumerate and decrypt TeamViewer credentials from Windows registry

DecryptTeamViewer Uses CVE-2019-18988 to enumerate and decrypt TeamViewer credentials from Windows registry Vulnerability research done by Nic Losby Blogpost detailing the vulnerability: whynotsecuritycom/blog/teamviewer/ Usage \DecryptTeamViewerexe

Tool to extract TeamViewer encrypted passwords from Windows Registry

WatchTV Tool to extract TeamViewer encrypted passwords from Windows Registry exploiting CVE-2019-18988 #################L ###############u ##################N@################ * ##################################### '>n=L ###############################RR#### 'b" 9 ###########################R#" #### @ * ###########

Information and tools for working with the TeamViewer OptionsPasswordHash value

TeamViewer: The Remote Desktop Software TeamViewer stores information in the registry to authenticate users connecting In past versions, this was very rudimentary and easily broken (see whynotsecuritycom/blog/teamviewer/ for more information, CVE-2019-18988), but has been improved since then This repository focuses on the OptionsPasswordHash value, which is used to r

DecryptTeamViewer Uses CVE-2019-18988 to enumerate and decrypt TeamViewer credentials from Windows registry Blogpost detailing the vulnerability: whynotsecuritycom/blog/teamviewer/ Usage \DecryptTeamViewerexe

CVE-2019-18988

TeamViewer Store Credentials Decryption

CVE-2019-18988 TeamViewer Store Credentials Decryption

CWE-521 https://community.teamviewer.com/t5/Announcements/Specification-on-CVE-2019-18988/td-p/82264 https://whynotsecurity.com/blog/teamviewer/https://twitter.com/Blurbdust/status/1224212682594770946?s=20 https://community.teamviewer.com/t5/Knowledge-Base/tkb-p/Knowledgebase?threadtype=label&labels=Security https://nvd.nist.gov https://github.com/V1V1/DecryptTeamViewer

CVE-2019-18988

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect