CVE-2019-18988
Published: 07 February 2020
Summary
CVE-2019-18988 is a high-severity Weak Password Requirements (CWE-521) vulnerability in Teamviewer Teamviewer. Its CVSS base score is 7.0 (High).
Operationally, ranked in the top 7.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SC-28 (Protection of Information at Rest).
Deeper analysis
TeamViewer Desktop through 14.7.1965 uses a single shared AES key for all installations, dating back at least to version 7.0.43148, to encrypt values such as OptionsPasswordAES in the registry and configuration files. This cryptographic reuse allows any party who recovers the key to decrypt customer-specific protected data, directly undermining the access-control mechanisms that rely on those encrypted values.
An attacker with local access or the ability to read exported configuration data can obtain the Unattended Access password on versions before 9.x, enabling remote login and headless file operations. Even on newer releases the same key still protects OptionPasswordAES, so offline registry or file-share copies of configuration data remain decryptable and usable for authentication. The vulnerability carries a CVSS 7.0 score reflecting local attack vector, high complexity, and high impact on confidentiality, integrity, and availability.
TeamViewer has published an official specification and related knowledge-base entries that describe the key-reuse behavior and the changes made to Unattended Access password storage. No further mitigation details beyond these advisories are provided in the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-8642
Vulnerability details
TeamViewer Desktop through 14.7.1965 allows a bypass of remote-login access control because the same key is used for different customers' installations. It used a shared AES key for all installations since at least as far back as v7.0.43148, and used…
more
it for at least OptionsPasswordAES in the current version of the product. If an attacker were to know this key, they could decrypt protect information stored in the registry or configuration files of TeamViewer. With versions before v9.x , this allowed for attackers to decrypt the Unattended Access password to the system (which allows for remote login to the system as well as headless file browsing). The latest version still uses the same key for OptionPasswordAES but appears to have changed how the Unattended Access password is stored. While in most cases an attacker requires an existing session on a system, if the registry/configuration keys were stored off of the machine (such as in a file share or online), an attacker could then decrypt the required password to login to the system.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates proper cryptographic key establishment and management, directly preventing the shared AES key reuse across installations that enables decryption of OptionsPasswordAES and Unattended Access passwords.
Requires cryptographic protection of information at rest, which would have prevented exposure of registry-stored credentials when a single customer-wide key is known.
Requires secure authenticator management including protection of stored passwords, mitigating the ability to decrypt and reuse Unattended Access credentials obtained from configuration files.