Three months ago, I discovered a security vulnerability in TeamViewer RPM auto-updates on Linux. The vulnerability allowed an attacker-in-the-middle (AITM) to subvert the TeamViewer RPM package repository to install and execute arbitrary software with root permissions.
First thing first: TeamViewer followed best practices and used cryptographic signing (GPG) on the repository metadata and its software packages. These measures should have prevented anyone from tampering with either the repository or any of its packages. However, it assumes that the system has a copy of TeamViewer’s public GPG key.
Unfortunately, TeamViewer made a mistake with how it distributes its GPG public key. The mistake let an AITM substitute its own public key during repository updates, package installations, and package updates. The vulnerability would even prompt the user to accept a new key if the system had previously trusted a different key for the TeamViewer RPM repository.
TeamViewer distributes an RPM package on its website. To install TeamViewer, users would download this package over a secure connection. The user would assume it’s safe to install something that comes from the official website. TeamViewer signs all RPM packages with its GPG key. This can be used to cryptographically verify that the package was indeed created by TeamViewer. The package didn’t come from a known RPM repository at this point, though. The typical installation tools (GNOME Software, KDE discover, DNF, or YUM) doesn’t enforce GPG-checks on side-loaded packages.
The RPM package installs TeamViewer and a new RPM repository configuration file onto the system. The repository configuration file enables the typical package management and update tools to pull in updates automatically from TeamViewer when the rest of the system is updated. TeamViewer doesn’t include a copy of its public GPG key in the RPM package, however. The repository configuration file contains the following options:
gpgcheck option opts-in to GPG checking of any packages downloaded from the repository. The
gpgkey option tells the system to on-demand retrieve the GPG key from the provided address. The GPG retrieval address doesn’t use encryption and is subject to ATIM manipulation. The option also tells the system to try fetching an updated key from this address if it runs into a problem with the key (e.g. a mismatch) in the future.
The configuration file is also missing the
repo_gpgcheck option. Without this option set, the integrity of the repository itself won’t be verified. The repository itself is also accessed over an unencrypted connection which is also subject to ATIM manipulation.
The combination of these weaknesses greatly simplifies effective exploitation. An AITM can modify packages and make any arbitrary changes to the repository. The installed repository configuration file requires that the packages be signed. As the attacker also controls the key update address, they could simply substitute their own key.
The update system will prompt the user to trust any new GPG keys. At this point, users can pause the upgrade process and try to manually verify that the key they’re presented with is indeed TeamViewer’s authentic key. Unfortunately, users are far more likely to chose the path of least resistance and just accept the new key to proceed with the update.
System updates are run with full root system privileges. The vulnerabilities enables an attacker the ability to execute and persistently install software with full system privileges. An attacked system must be considered fully and irrecoverably compromised after this vulnerability had been exploited.
The TeamViewer RPM repository was already available over HTTPS. Users could manually modify the repository configuration file to use HTTPS instead of HTTP. After I made TeamViewer aware of the issue, it delivered an update that makes HTTPS the new default. It also enabled the missing
TeamViewer fixed the security vulnerabilities discussed in this article in version 15.11.6 released on . It did not mention the fix in the release changelog. The fix is deployed automatically on upgrade unless you’ve manually modified the
/etc/yum.repos.d/teamviewer.repo file after installation.
I reported this security vulnerability against TeamViewer version 15.8.3 on . TeamViewer quickly acknowledged the issue, but it took the company two and a half month to fix it. The required fix was trivial, but the changelog for version 15.9.5 (released ) suggest that TeamViewer had some other problem with its RPM signing.
I have no evidence that this was exploited in the wild. The vulnerability only affected the TeamViewer RPM repository, and did not affect its APT packages or repository. Debian and its derivatives (like Ubuntu) use APT. Fedora, CentOS, OpenSUSE, and others use RPM.
To avoid this oversight from affecting other projects, software update tools that use RPM repositories should introduce additional security checks. To this end, I’ve sent a patch to DNF that adds a warning when GPG keys are retrieved over HTTP.