Remote Desktop Manager (RDM) allows administrators to manage multiple remote desktop connections and credentials efficiently. It provides users with necessary access to resources like databases, file systems, routers, and servers. However, security researchers have discovered a noticeable vulnerability (CVE-2022-3780) in components of Remote Desktop Manager 2022.3.7 and prior versions.
Vulnerability Overview
The Remote Desktop Manager uses MySQL as data sources for storing user sessions, credentials, and connection settings. Due to the unrecognized vulnerability, database connections to deleted users could remain active on MySQL data sources. Deleted users can leverage these persistent connections to access unauthorized data in Remote Desktop Manager 2022.3.7 and below.
Exploit Details
Consider the following scenario to understand the vulnerability better. Suppose several users are connected to a MySQL database through Remote Desktop Manager. When an administrator deletes a user, they may assume that the MySQL connection to the user will be terminated automatically. However, the issue lies in handling the database connections to deleted users. Due to CVE-2022-3780, these connections stay active even after the user has been deleted.
In this case, an attacker with access to the deleted user's credentials can access data despite the risk of being unauthorized. This opened door may lead to data leakage and exposure of sensitive information.
Attackers can potentially exploit the vulnerability using the MySQL's SHOW PROCESSLIST command. Here's a code snippet showing how the command might be used:
SELECT * FROM information_schema.processlist
WHERE user = 'DeletedUser'; /* Replace 'DeletedUser' with the actual deleted user's name. */
If the query returns any rows, attackers can identify the lingering connections and exploit the vulnerability.
Affected Versions
Remote Desktop Manager versions 2022.3.7 and below are affected by this vulnerability.
Mitigation and Recommendations
Users of Remote Desktop Manager are advised to follow these guidelines to prevent unauthorized access:
1. Upgrade Remote Desktop Manager to the latest version to ensure the vulnerability is patched. The latest version can be downloaded from the Devolutions' official website.
Download page: https://www.devolutions.net/download-mirror
2. Regularly monitor and terminate any lingering connections to the MySQL server, especially if they belong to deleted users. Administrators can use the SHOW PROCESSLIST command to check for such connections.
3. Implement proper access controls to limit unauthorized access to sensitive data in the Remote Desktop Manager.
For more information on CVE-2022-3780, visit the following links
1. National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2022-3780
2. Devolutions' blog on Remote Desktop Manager: https://blog.devolutions.net/2022/06/security-update-cve-2022-378
Conclusion
Conclusively, while Remote Desktop Manager is a useful tool for managing remote connections, it is essential to stay vigilant and informed about potential vulnerabilities like CVE-2022-3780. Regularly updating to the latest version and following recommended security practices will help mitigate risks and protect valuable information from unauthorized access.
Timeline
Published on: 11/01/2022 19:15:00 UTC
Last modified on: 07/21/2023 20:18:00 UTC