The developers of Teamviewer warn of a security vulnerability in the Teamviewer client. Attackers with low privileges could then connect to other users – and thus expand their privileges. An update for the client is available that corrects the problem.
Advertisement
In the The Teamviewer developers write a security noticethat access to set a personal password does not require administrator rights. This allows users with low rights in multi-user systems with access to the client to assign a personal password. This allows them to remotely access other currently logged in users on the system (CVE-2024-0819, CVSS 7.3“Risk”high“).
Teamviewer: Extension of rights through personal password
The CVE entry spells out the consequences more clearly: Inappropriate initialization of default settings in the Teamviewer Remote Client before version 15.51.5 for Linux, macOS and Windows allows low-privilege users to increase their rights by changing the personal password and establishing a remote access session to a logged-in administrator account.
The developers of Teamviewer explain that clients with the setting “Changes require administrator rights on this computer” or other security functions activated and correctly configured are not vulnerable. They expressly recommend securing easy access for unsupervised access with two-factor authentication. If you still want to use a personal password for this, you should make sure to follow the guidelines and use a strong password.
Both the Teamviewer Remote Full Client and Teamviewer Remote Host are available as bug-fixed version 15.51.5 Company download page ready to download. IT managers and Teamviewer users should install the update quickly.
Several remote maintenance software products have recently been hit with security problems. Cybercriminals were able to break into Anydesk’s productive systems. RustDesk, however, had to remove a driver because it is currently only equipped with a developer test certificate and a developer certificate has been anchored as trustworthy in Windows.
(dmk)