CVE-2020-0765: Remote Desktop Connection Manager Information Disclosure Vulnerability

Overview

Severity

N/A

Category

Information Disclosure

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2020-Mar

Released

2020-03-10

Last Updated

2021-08-10

EPSS Score

17.37% (percentile: 95.1%)

Description

An information disclosure vulnerability exists in the Remote Desktop Connection Manager (RDCMan) application when it improperly parses XML input containing a reference to an external entity. An attacker who successfully exploited this vulnerability could read arbitrary files via an XML external entity (XXE) declaration. To exploit the vulnerability, an attacker could create an RDG file containing specially crafted XML content and convince an authenticated user to open the file.

FAQ

Where do I find the update for Remote Desktop Connection Manager (RDCMan)? Microsoft is not planning on fixing this vulnerability in RDCMan and has deprecated the application. Microsoft recommends using supported Remote Desktop clients and exercising caution when opening RDCMan configuration files (.rdg). Update 8/10/2021 RDCMan 2.82 is available through Sysinternals Remote Desktop Connection Manager - Windows Sysinternals | Microsoft Docs. This vulnerability has been addressed in this new version.

Affected Products (2)

Developer Tools

• Remote Desktop Connection Manager v2.82

Other

• Remote Desktop Connection Manager 2.7

Security Updates (1)

• Release Notes

Acknowledgments

<a href="https://twitter.com/esterling_">Ethan Sterling</a>, RunningSnail of PingAn Galaxy Lab

Revision History

• 2020-03-10: Information published.
• 2021-08-10: CVE revised to announce the availability of Remote Desktop Connection Manager version 2.82. This new version of the tool addresses the vulnerability.