CVE-2019-18988

Name of the Vulnerable Software and Affected Versions TeamViewer Desktop versions 7.0.43148 through 14.7.1965

Description The issue is related to the implementation of the Advanced Encryption Standard (AES) algorithm in TeamViewer, which is associated with weak password requirements. Exploitation of this issue can allow an attacker to bypass security restrictions and gain unauthorized access to protected information. Specifically, TeamViewer Desktop uses a shared AES key for all installations, which can be used to decrypt protected information stored in the registry or configuration files. In versions before 9.x, this allowed attackers to decrypt the Unattended Access password, enabling remote login to the system. Although the latest version has changed how the Unattended Access password is stored, it still uses the same key for OptionPasswordAES.

Recommendations For TeamViewer Desktop versions 7.0.43148 through 14.7.1965, update to a version later than 14.7.1965 to mitigate the risk of exploitation. As a temporary workaround, consider restricting access to the registry and configuration files where sensitive information is stored. Avoid storing registry or configuration keys in publicly accessible locations, such as file shares or online storage. At the moment, there is no information about additional mitigation measures for this specific issue.