ACTIVE-2019-004: TeamSpeak 3 Client URI Handler Remote Command Execution
Vulnerability Type:
Remote Command Execution
Vendors:
TeamSpeak Systems, Inc.
CVE ID:
CVE-2019-11351
Affected Products:
- TeamSpeak 3 Client Version 3.2.3 and older for Windows
Summary:
A vulnerability in the TeamSpeak 3 Client, could allow an attacker to execute arbitrary commands on a targeted system. This vulnerability is due to unsafe search paths used by the application URI that is defined in Windows operating systems. An attacker could exploit this vulnerability by convincing a targeted user to follow a malicious link. Successful exploitation could cause the application to load libraries from the directory targeted by the URI link. The attacker could use this behavior to execute arbitrary commands on the system with the privileges of the targeted user if the attacker can place a crafted library in a directory that is accessible to the vulnerable system.
Mitigation:
The vendor has released a hotfix in version 3.2.5 addressing this vulnerability.
Credit:
This vulnerability was found by Hashim Jawad of ACTIVELabs.
References:
- https://forum.teamspeak.com/threads/139546-Release-TeamSpeak-3-Client-3-2-5
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11351
- https://nvd.nist.gov/vuln/detail/CVE-2019-11351
Disclosure Timeline:
- 04-17-19: ACTIVELabs contacted TeamSpeak via Twitter
- 04-17-19: TeamSpeak provided contact information
- 04-17-19: ACTIVELabs report sent to TeamSpeak security team
- 04-17-19: TeamSpeak was able to reproduce the issue
- 04-17-19: TeamSpeak 3 Client version 3.2.5 was pushed out addressing the vulnerability
- 04-17-19: ACTIVELabs notified TeamSpeak security team that CVE entry will be requested
- 04-19-19: ACTIVELabs requested CVE from MITRE
- 04-19-19: CVE-2019-11351 was assigned
- 04-22-19: ACTIVELabs publishes this advisory