TV-2024-1001

Bulletin ID: TV-2024-1001
Issue Date: Feb 27, 2024
Last Update: Feb 27, 2024
Priority: Important
CVSS: 7.3 (high)
Assigned CVE: CVE-2024-0819
Affected Products: TeamViewer Remote full client; TeamViewer Remote Host

1. Summary

A vulnerability has been found in TeamViewer client prior version 15.51.5 that could allow an unprivileged user on a multi-user system to set a personal password. The issue has been fixed with Version 15.51.5.

2. Vulnerability Details

CVE-ID	CVE-2024-0819
Description	In the Teamviewer client prior Version 15.51.5, access to the personal password setting doesn’t require administrative rights. A low privileged user on a multi-user system, with access to the client, can set a personal password. That potentially allows an unprivileged user to establish a remote connection to other currently logged-in users on the same system. TeamViewer clients with activated setting “changes require administrative right on this computer” or additional security features active and properly configured are not affected, e.g. Options Password Conditional Access BYOC Block & Allow List Access control TFA for connections One-time-password TeamViewer recommends using Easy Access for unattended access, combined with the Two-Factor-Authentication, this protection covers accessing the TeamViewer account and any machine you support via TeamViewer. If you still consider to use a personal password please make sure to follow the guidelines and use a strong password.
CVSS3.0 Score	Base Score 7.3 (High)
CVSS3.1 Vector String	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Problem type	CWE-269: Improper Privilege Management

3. Affected products & versions

Product	Versions	Info
Teamviewer Remote full client	< 15.51.5	Update available
Teamviewer Remote Host	< 15.51.5	Update available

4. Solutions and mitigations

Recommended: Update to the latest version (15.51.5 or higher)

or set “changes require administrative rights on this computer” in the advanced settings of the client

or set an “options password” in the advanced settings of the client

or consider one the above-mentioned security features.

5. Additional Resources

https://www.teamviewer.com/en/global/support/knowledge-base/teamviewer-remote/security/security-statement/

https://www.teamviewer.com/en/global/support/knowledge-base/teamviewer-classic/security/best-practices/best-practices-for-secure-unattended-access/

https://www.teamviewer.com/en/global/support/knowledge-base/teamviewer-classic/security/

6. Acknowledgments

We thank Aaron Schlitt, Lukas Radermacher and Nils Hanff very much for their contribution and responsible disclosure.

Do you want to report a security issue?

TeamViewer’s security team will investigate every submission in our Vulnerability Disclosure Program.

See our VDP

Incomplete protection of personal password settings

1. Summary

2. Vulnerability Details

3. Affected products & versions

4. Solutions and mitigations

5. Additional Resources

Do you want to report a security issue?

Please choose your region

SUGGESTED REGION

Americas

Asia Pacific

Commonwealth of Independent States

Europe

Middle East Africa