TV-2023-1001

Incomplete protection of local device settings

Bulletin ID
TV-2022-1001
Issue Date
14 Haz 2023
Last Update
14 Haz 2023
Priority
Moderate
CVSS
6.3 (medium)
Assigned CVE
CVE-2022-23242
Affected Products
TeamViewer for Linux

1. Summary

A bug has been found in TeamViewer for Linux before 15.28, that could result in an inadvertent re-use of a previously used connection password after a process crash. The bug has been fixed with version 15.28. We recommend updating your Linux client installations at the earliest convenience.

2. Vulnerability Details

CVE-ID

Description

TeamViewer Linux versions before 15.28 did not properly execute a deletion command for the connection password in case of a process crash. Knowledge of the crash event and the TeamViewer ID as well as either possession of the pre-crash connection password or local authenticated access to the machine would have allowed to establish a remote connection by reusing the not properly deleted connection password. We do not have any indication of active exploitation.

CVSS3.0 Score

Base Score 6.3 (medium)

CVSS3.0 Vector String

Problem type

N/A

3. Affected products & versions

Product Versions Info

TeamViewer for Linux

15.27 and lower

4. Solutions & mitigations

Update to the latest version (15.28 or higher)

5. Additional Resources

For users leveraging passwordless authentication (“Easy Access”) and/or MFA for connections the issue is not exploitable.

https://community.teamviewer.com/English/kb/articles/108791-two-factor-authentication-for-connections

https://community.teamviewer.com/English/kb/articles/108681-best-practices-for-secure-unattended-access

Download resources:

https://www.teamviewer.com/en/download/linux/

6. Acknowledgments

We thank Weaponshotgun & WildZarek very much for their research and responsible disclosure.