Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

ACTIVE-2019-004: TeamSpeak 3 Client URI Handler Remote Command Execution

Vulnerability Type:

Remote Command Execution

Vendors:

TeamSpeak Systems, Inc.

CVE ID:

CVE-2019-11351

Affected Products:

  • TeamSpeak 3 Client Version 3.2.3 and older for Windows

Summary:

A vulnerability in the TeamSpeak 3 Client, could allow an attacker to execute arbitrary commands on a targeted system. This vulnerability is due to unsafe search paths used by the application URI that is defined in Windows operating systems. An attacker could exploit this vulnerability by convincing a targeted user to follow a malicious link. Successful exploitation could cause the application to load libraries from the directory targeted by the URI link. The attacker could use this behavior to execute arbitrary commands on the system with the privileges of the targeted user if the attacker can place a crafted library in a directory that is accessible to the vulnerable system.

Mitigation:

The vendor has released a hotfix in version 3.2.5 addressing this vulnerability.

Credit:

This vulnerability was found by Hashim Jawad of ACTIVELabs.

References:

Disclosure Timeline:

  • 04-17-19: ACTIVELabs contacted TeamSpeak via Twitter
  • 04-17-19: TeamSpeak provided contact information
  • 04-17-19: ACTIVELabs report sent to TeamSpeak security team
  • 04-17-19: TeamSpeak was able to reproduce the issue
  • 04-17-19: TeamSpeak 3 Client version 3.2.5 was pushed out addressing the vulnerability
  • 04-17-19: ACTIVELabs notified TeamSpeak security team that CVE entry will be requested
  • 04-19-19: ACTIVELabs requested CVE from MITRE
  • 04-19-19: CVE-2019-11351 was assigned
  • 04-22-19: ACTIVELabs publishes this advisory