TeamViewer for Windows flaw allows to compromise victim’s device completely

A new security risk for TeamViewer users has been reported. Network security course specialists detail the finding of a critical vulnerability in the remote access platform that could allow threat actors to decrypt users’ passwords, completely exposing the affected systems.

TeamViewer is a remote software application, desktop sharing, video conferencing and file transfer between computers developed by the German company TeamViewer GmbH.

The vulnerability was tracked as CVE-2020-13699 and received a score of 8.8/10 on the Common Vulnerability Scoring System (CVSS) scale. This finding comes at a time when communication and remote access applications have experienced a significant increase in their use, due to confinement and work at home.

The flaw is present in any version of the TeamViewer application for Windows desktops prior to 8.0.258861, 9.0.258860, 10.0.258873, 11.0.258870, 12.0.258869, 13.2.36220, 14.2.56676, 14.7.48350 and 15.8.3.

Network security course specialists mention that the failure exists due to a search path or item without quotation marks, as the application does not correctly cite its custom URI handlers. Malicious hackers must redirect the victim to a malicious website by employing a vulnerable version of TeamViewer to exploit the flaw.

Jeffrey Hofmann, the researcher who discovered the flaw, mentions that:”A threat actor could embed a malicious iframe on the specially designed website, which would launch the TeamViewer desktop client on a Windows system, forcing the start of an SMB share.” 

The Windows system would then perform NTLM authentication when opening the share. That request allows attackers to capture an authentication and send it to another server, giving it the ability to perform operations on the remote server by taking advantage of the authenticated user’s privileges.

According to network security course specialists, successfully exploiting this vulnerability would allow remote hackers to launch TeamViewer with arbitrary parameters. Cybercriminals could force NTLM authentication requests to be sent to the malicious system, allowing brute force attacks, among other attacks resulting from credential theft.

In the disclosure, Hofmann noted that no attempts at active exploitation had been detected, although developers and users should consider the risk of exploitation to be high, especially in small and medium-sized enterprises and governmental organizations. TeamViewer has already released a fix for this flaw, so users should update their app as soon as possible.