[SECURITY UPDATE] TeamSpeak 3 Client 3.0.18.1 is Available

[ScP]

We have just released a very important security update for the TeamSpeak 3 Client addressing a RFI (Remote File Inclusion) vulnerability. Please upgrade your desktop clients to version 3.0.18.1 immediately. The update is available for Windows, Linux and OS X. Mobile clients for Android and iOS are not affected by this issue.

You can use the auto-update feature to grab this new release. If you need an installer, please refer to our Downloads page.

Here's the full changelog:

Code:

=== Client Release 3.0.18.1 10 Oct 2015
  ! Hotfix release to fix security vulnerability

---

*** IMPORTANT ***
We strongly recommend that all server providers and admins change the minimum desktop client version for users required to connect to the server. Unfortunately, this will also prevent mobile clients to connect for now. We'll release updates to Google Play and the Apple App Store as soon as possible (see updates below).

If you don't want to (or can't) increase the minimum client version on your server, you can prevent users from exploiting this vulnerability by revoking the permissions to create channels with descriptions on your server.

There are two ways to increase the minimum client version:

1. Update Server Settings via ServerQuery
Use the following commands via ServerQuery (per default running on TCP port 10011) to do this:

Code:

// authenticate with your serveradmin account (generated during initial server start)
login username password

// change default settings for virtual servers you create in the future
use 0           
serveredit virtualserver_min_client_version=1444491275

// repeat this for all existing virtual servers in the TeamSpeak instance
use port=9987   
serveredit virtualserver_min_client_version=1444491275
use port=9988   
serveredit virtualserver_min_client_version=1444491275
...

No restart is required when you're using ServerQuery to change the settings.

2. Update Server Settings via SQL
If you have access to your servers database (SQLite or MySQL) you can use this SQL query to update all virtual servers at once:

Code:

UPDATE server_properties SET value = '1444491275' WHERE ident = 'virtualserver_min_client_version';

You need to restart the server afterwards so the settings will be reload.

---

We sincerely apologize for any inconvenience caused.

---

*** UPDATE 01 ***
An updated Android client has just been pushed to Google Play and will be available in the next few hours.

*** UPDATE 02 ***
The Android client update is now live. In addition to a new build number, it introduces Android 6.0 compatibility.

*** UPDATE 03 ***
The iOS client has been sumbitted to the Apple App Store and we're waiting for approval.
Apple usual needs 7-14 days for this.

[Kubuxu]

Will setting the virtualserver_min_client_version affect mobile clients connections?

[ahmedkoki]

I am updating it now but why is it that important?

[ScP]

Will setting the virtualserver_min_client_version affect mobile clients connections?

Unfortunately, it does. Upcoming server versions will allow you to specify the minimum client version for Android and iOS separate from the desktop version.

I am updating it now but why is it that important?

Well... previous client versions were affected by a vulnerability that allowed an attacker to download malicious files to your computer. So this is very serious. We strongly recommend that everyone updates their clients before the way to exploit this is publicly known.

[FiLinX]

http://pix.academ.org/img/2015/10/11...0871775d4f.png

[ScP]

http://pix.academ.org/img/2015/10/11...0871775d4f.png

My best guess is that this is an UAC issue because you did not start the installer in elevated mode or the TS3 Client is currently running (but I don't see that on your screenshot)... The installer itself seems to be OK since I am unable to reproduce this error on any of my systems.

Please note that you can also use the auto update feature by starting the TS3 Client and hitting Help -> Check for Update.

[pully]

I was affected by this attack.

Could the attacker also execute the files? Or just download?

[ScP]

I was affected by this attack.

Could the attacker also execute the files? Or just download?

In worst case, yes.

[phvcky]

I was affected by this attack.

Could the attacker also execute the files? Or just download?

How can you be sure you were attacked, if you don't even know if the file has been executed?
I'm sure you mean, that you were affected by the vulnerability (as everyone) which may or may not have been exploited. Most likely not I suppose.

If I am mistaken, please provide more details.

@ScP / Staff: Was this vulnerability discovered by a TeamSpeak staff member or has it been disclosed by a user / found in the wild?

[Chaos234]

Well, because you don't have also recompiled and re-roled out the andorid/iphone versions which is your task to do it if the min_client_version affect also mobile devices, I can't change this number until they are also supported.

If such an attack will come then I must tell it to you because I can't exclued mobile devices because I need to connect to my TS3 - Servers if customers have problems and also customers are connecting over there own mobile phone.

At the point that you knowing this you already sjould have re-released the latest mobile version directly after the client release.

I must say that this is very bad support for this important security fix only because mobile versions are not affected by this vulnerability.

Can't understand this politics ...

[ScP]

@ScP / Staff: Was this vulnerability discovered by a TeamSpeak staff member or has it been disclosed by a user / found in the wild?

The issue has been reported to our development team by a user.

I must say that this is very bad support for this important security fix only because mobile versions are not affected by this vulnerability.

Can't understand this politics ...

What you might not know is that releasing an update to Google Play and the Apple App Store is not as simple as uploading a file to some FTP server. Every update is subject to a review process by Apple (and Google since earlier this year) so it takes some additional time to get those new releases out. Would you prefer us to hold back a critical security update until the mobile clients are approved?

In my posting I also explained what you can do as a server admin if you don't want (or can't) increase the minimum client version.

We're fully aware that this situation is not ideal and we sincerely apologize for any inconvenience caused, but the security and privacy of our user-base is one of the most important things to us.

[pully]

How can you be sure you were attacked, if you don't even know if the file has been executed?
I'm sure you mean, that you were affected by the vulnerability (as everyone) which may or may not have been exploited. Most likely not I suppose.

If I am mistaken, please provide more details.

The attacker downloaded a file to my desktop. The attacker told it to me that it was done by this exploit.

Now i must know if i must reformat my disk.

[ScP]

The attacker downloaded a file to my desktop. The attacker told it to me that it was done by this exploit.

Now i must know if i must reformat my disk.

I wouldn't assume the worst case scenario just now... If you can provide details about the suspicious file we might be able to help. Can you upload that file somewhere (e.g. Dropbox) and send me a PM with the link?

[pully]

It was just an empty file.
Everyone on the server was affected.

Does this exploit allow execution or not?

[ScP]

Does this exploit allow execution or not?

Yes, it does.

Of course you can't be sure, but... if the file was empty (and visible on your desktop), I think someone was just trying to troll you by exploiting this vulnerability. If I were you, I'd just scan my computer for viruses for now and keep an eye out for anything suspicious. But I guess there's no need to wipe your disk just now.