Forum

Page 1 of 6 123 ... LastLast
Results 1 to 15 of 84
  1. #1
    Join Date
    October 2003
    Location
    Germany
    Posts
    2,371

    Exclamation [SECURITY UPDATE] TeamSpeak 3 Client 3.0.18.1 is Available

    We have just released a very important security update for the TeamSpeak 3 Client addressing a RFI (Remote File Inclusion) vulnerability. Please upgrade your desktop clients to version 3.0.18.1 immediately. The update is available for Windows, Linux and OS X. Mobile clients for Android and iOS are not affected by this issue.

    You can use the auto-update feature to grab this new release. If you need an installer, please refer to our Downloads page.

    Here's the full changelog:

    Code:
    === Client Release 3.0.18.1 10 Oct 2015
      ! Hotfix release to fix security vulnerability


    *** IMPORTANT ***
    We strongly recommend that all server providers and admins change the minimum desktop client version for users required to connect to the server. Unfortunately, this will also prevent mobile clients to connect for now. We'll release updates to Google Play and the Apple App Store as soon as possible (see updates below).

    If you don't want to (or can't) increase the minimum client version on your server, you can prevent users from exploiting this vulnerability by revoking the permissions to create channels with descriptions on your server.

    There are two ways to increase the minimum client version:

    1. Update Server Settings via ServerQuery
    Use the following commands via ServerQuery (per default running on TCP port 10011) to do this:

    Code:
    // authenticate with your serveradmin account (generated during initial server start)
    login username password
    
    // change default settings for virtual servers you create in the future
    use 0           
    serveredit virtualserver_min_client_version=1444491275
    
    // repeat this for all existing virtual servers in the TeamSpeak instance
    use port=9987   
    serveredit virtualserver_min_client_version=1444491275
    use port=9988   
    serveredit virtualserver_min_client_version=1444491275
    ...
    No restart is required when you're using ServerQuery to change the settings.

    2. Update Server Settings via SQL
    If you have access to your servers database (SQLite or MySQL) you can use this SQL query to update all virtual servers at once:

    Code:
    UPDATE server_properties SET value = '1444491275' WHERE ident = 'virtualserver_min_client_version';
    You need to restart the server afterwards so the settings will be reload.



    We sincerely apologize for any inconvenience caused.



    *** UPDATE 01 ***
    An updated Android client has just been pushed to Google Play and will be available in the next few hours.

    *** UPDATE 02 ***
    The Android client update is now live. In addition to a new build number, it introduces Android 6.0 compatibility.

    *** UPDATE 03 ***
    The iOS client has been sumbitted to the Apple App Store and we're waiting for approval.
    Apple usual needs 7-14 days for this.
    Last edited by dante696; October 19th, 2015 at 09:35 AM. Reason: added details about ios approval

  2. #2
    Join Date
    March 2014
    Posts
    12
    Will setting the virtualserver_min_client_version affect mobile clients connections?

  3. #3
    Join Date
    August 2014
    Posts
    5
    I am updating it now but why is it that important?

  4. #4
    Join Date
    October 2003
    Location
    Germany
    Posts
    2,371
    Quote Originally Posted by Kubuxu View Post
    Will setting the virtualserver_min_client_version affect mobile clients connections?
    Unfortunately, it does. Upcoming server versions will allow you to specify the minimum client version for Android and iOS separate from the desktop version.

    Quote Originally Posted by ahmedkoki View Post
    I am updating it now but why is it that important?
    Well... previous client versions were affected by a vulnerability that allowed an attacker to download malicious files to your computer. So this is very serious. We strongly recommend that everyone updates their clients before the way to exploit this is publicly known.
    Last edited by ScP; October 10th, 2015 at 08:47 PM.

  5. #5
    Join Date
    July 2013
    Posts
    2

  6. #6
    Join Date
    October 2003
    Location
    Germany
    Posts
    2,371
    My best guess is that this is an UAC issue because you did not start the installer in elevated mode or the TS3 Client is currently running (but I don't see that on your screenshot)... The installer itself seems to be OK since I am unable to reproduce this error on any of my systems.

    Please note that you can also use the auto update feature by starting the TS3 Client and hitting Help -> Check for Update.

  7. #7
    Join Date
    October 2015
    Posts
    3
    I was affected by this attack.

    Could the attacker also execute the files? Or just download?

  8. #8
    Join Date
    October 2003
    Location
    Germany
    Posts
    2,371
    Quote Originally Posted by pully View Post
    I was affected by this attack.

    Could the attacker also execute the files? Or just download?
    In worst case, yes.


  9. #9
    Join Date
    August 2014
    Posts
    21
    Quote Originally Posted by pully View Post
    I was affected by this attack.

    Could the attacker also execute the files? Or just download?
    How can you be sure you were attacked, if you don't even know if the file has been executed?
    I'm sure you mean, that you were affected by the vulnerability (as everyone) which may or may not have been exploited. Most likely not I suppose.

    If I am mistaken, please provide more details.

    @ScP / Staff: Was this vulnerability discovered by a TeamSpeak staff member or has it been disclosed by a user / found in the wild?

  10. #10
    Join Date
    July 2009
    Posts
    27
    Well, because you don't have also recompiled and re-roled out the andorid/iphone versions which is your task to do it if the min_client_version affect also mobile devices, I can't change this number until they are also supported.

    If such an attack will come then I must tell it to you because I can't exclued mobile devices because I need to connect to my TS3 - Servers if customers have problems and also customers are connecting over there own mobile phone.

    At the point that you knowing this you already sjould have re-released the latest mobile version directly after the client release.

    I must say that this is very bad support for this important security fix only because mobile versions are not affected by this vulnerability.

    Can't understand this politics ...

  11. #11
    Join Date
    October 2003
    Location
    Germany
    Posts
    2,371
    Quote Originally Posted by phvcky View Post
    @ScP / Staff: Was this vulnerability discovered by a TeamSpeak staff member or has it been disclosed by a user / found in the wild?
    The issue has been reported to our development team by a user.

    Quote Originally Posted by Chaos234 View Post
    I must say that this is very bad support for this important security fix only because mobile versions are not affected by this vulnerability.

    Can't understand this politics ...
    What you might not know is that releasing an update to Google Play and the Apple App Store is not as simple as uploading a file to some FTP server. Every update is subject to a review process by Apple (and Google since earlier this year) so it takes some additional time to get those new releases out. Would you prefer us to hold back a critical security update until the mobile clients are approved?

    In my posting I also explained what you can do as a server admin if you don't want (or can't) increase the minimum client version.

    We're fully aware that this situation is not ideal and we sincerely apologize for any inconvenience caused, but the security and privacy of our user-base is one of the most important things to us.
    Last edited by ScP; October 10th, 2015 at 09:39 PM.

  12. #12
    Join Date
    October 2015
    Posts
    3
    Quote Originally Posted by phvcky View Post
    How can you be sure you were attacked, if you don't even know if the file has been executed?
    I'm sure you mean, that you were affected by the vulnerability (as everyone) which may or may not have been exploited. Most likely not I suppose.

    If I am mistaken, please provide more details.
    The attacker downloaded a file to my desktop. The attacker told it to me that it was done by this exploit.

    Now i must know if i must reformat my disk.

  13. #13
    Join Date
    October 2003
    Location
    Germany
    Posts
    2,371
    Quote Originally Posted by pully View Post
    The attacker downloaded a file to my desktop. The attacker told it to me that it was done by this exploit.

    Now i must know if i must reformat my disk.
    I wouldn't assume the worst case scenario just now... If you can provide details about the suspicious file we might be able to help. Can you upload that file somewhere (e.g. Dropbox) and send me a PM with the link?

  14. #14
    Join Date
    October 2015
    Posts
    3
    It was just an empty file.
    Everyone on the server was affected.

    Does this exploit allow execution or not?

  15. #15
    Join Date
    October 2003
    Location
    Germany
    Posts
    2,371
    Quote Originally Posted by pully View Post
    Does this exploit allow execution or not?
    Yes, it does.

    Of course you can't be sure, but... if the file was empty (and visible on your desktop), I think someone was just trying to troll you by exploiting this vulnerability. If I were you, I'd just scan my computer for viruses for now and keep an eye out for anything suspicious. But I guess there's no need to wipe your disk just now.


Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 0
    Last Post: August 13th, 2015, 05:01 AM
  2. Cannot Update TeamSpeak 3 Client
    By FazzaR in forum Bug Reports [EN/DE]
    Replies: 2
    Last Post: May 24th, 2011, 08:01 AM
  3. TeamSpeak 3 Client Update failing at 59%.
    By rifter in forum Windows
    Replies: 4
    Last Post: May 17th, 2011, 04:24 PM
  4. Replies: 5
    Last Post: October 29th, 2010, 05:53 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •