← back
CVE-2019-18988

CVE-2019-18988

CVSS 7 HIGHEPSS 4.7%● KEVCWE-521
In short

TeamViewer Desktop uses the same encryption key for all customer installations, allowing anyone who knows this shared key to decrypt sensitive passwords stored on the system. This could let attackers gain remote access to computers without authorization.

Technical detail

CVE-2019-18988 exploits a hardcoded AES encryption key shared across all TeamViewer installations since v7.0.43148, enabling decryption of OptionsPasswordAES and, in versions before v9.x, the Unattended Access password stored in registry or configuration files. Attack vector requires either local access to the system or exposure of configuration files to remote storage; successful exploitation grants unauthorized remote access and file browsing capabilities.

Summary generated and translated by AI from the official description.
TeamViewer Desktop through 14.7.1965 allows a bypass of remote-login access control because the same key is used for different customers' installations. It used a shared AES key for all installations since at least as far back as v7.0.43148, and used it for at least OptionsPasswordAES in the current version of the product. If an attacker were to know this key, they could decrypt protect information stored in the registry or configuration files of TeamViewer. With versions before v9.x , this allowed for attackers to decrypt the Unattended Access password to the system (which allows for remote login to the system as well as headless file browsing). The latest version still uses the same key for OptionPasswordAES but appears to have changed how the Unattended Access password is stored. While in most cases an attacker requires an existing session on a system, if the registry/configuration keys were stored off of the machine (such as in a file share or online), an attacker could then decrypt the required password to login to the system.
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a
public PoCs found2
githubgithub.com/mr-r3b00t/CVE-2019-189883githubgithub.com/reversebrain/CVE-2019-189882
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://community.teamviewer.com/t5/Announcements/Specification-on-CVE-2019-18988/td-p/82264https://community.teamviewer.com/t5/Knowledge-Base/tkb-p/Knowledgebase?threadtype=label&labels=Securityhttps://twitter.com/Blurbdust/status/1224212682594770946?s=20https://whynotsecurity.com/blog/teamviewer/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-18988