Microsoft released a new version of Remote Desktop Connection Manager (RDCMan) this week. This version, released as part of the SysInternals suite, solves a critical vulnerability and allows admins in Microsoft-oriented networks to enjoy remote desktop connections again (relatively) safely.
About Remote Desktop Connection Manager
RDCMan used to be a popular tool to collect, categorize and use multiple remote desktop connections in Microsoft-oriented networks. It was available as a free download until March 2020 when a critical vulnerability (CVE-2020-0765) was found in the program. The version we used back then (version 2.7) dated back to 2014.
About the 2020 vulnerability in RDCMan
An information disclosure vulnerability exists in the Remote Desktop Connection Manager (RDCMan) application when it improperly parses XML input containing a reference to an external entity. An attacker who successfully exploited this vulnerability could read arbitrary files via an XML external entity (XXE) declaration.
To exploit the vulnerability, an attacker could create an RDG file containing specially crafted XML content and convince an authenticated user to open the file.
On March 12, 2020, Microsoft didn’t recommended uninstalling Remote Desktop Connection Manager (RDCMan), but many admins removed it from their management boxes and resorted to alternatives like mRemoteNG, RD Tabs, RDM and even purely paid solutions like RoyalTS.
Their way of thinking was that by uninstalling RDCMan, an attacker could no longer trick them into use RDCMan using files with the *.rdg extension.
Remote Desktop Connection Manager v2.8
Version 2.8 of Remote Desktop Connection Manager (RDCMan) is released as part of the SysInternals suite. You can download version 2.8 of the Remote Desktop Connection Manager (RDCMan) from Microsoft.
Microsoft discontinues RDCMan app following security bug
Microsoft Discontinues Remote Desktop Connection Manager (RDCMan)
RDCMan v2.8, AccessChk v6.14, Process Monitor v3.83, Strings v2.54, Sysmon v13.22 and TCPView v4.13