CVE-2023-30367
📋 TL;DR
mRemoteNG versions up to 1.76.20 and 1.77.3-dev load encrypted configuration files into memory in plain text at startup, even when not actively connecting. Attackers can dump memory to extract stored credentials like passwords and connection details, bypassing file encryption. This affects all users who haven't set a custom password encryption key.
💻 Affected Systems
- mRemoteNG
📦 What is this software?
Mremoteng by Mremoteng
Mremoteng by Mremoteng
Mremoteng by Mremoteng
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of all stored credentials (passwords, SSH keys, RDP credentials) leading to lateral movement across all managed systems.
Likely Case
Extraction of sensitive credentials from memory dumps, enabling unauthorized access to remote systems.
If Mitigated
Limited impact if custom encryption key is used and memory dumping is prevented via OS controls.
🎯 Exploit Status
Exploit requires local access or ability to dump process memory; tools like mimikatz or custom scripts can be used.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v1.77.4 or later
Vendor Advisory: https://github.com/mRemoteNG/mRemoteNG/issues/2420
Restart Required: Yes
Instructions:
1. Download latest version from mRemoteNG GitHub releases. 2. Install over existing version. 3. Restart mRemoteNG.
🔧 Temporary Workarounds
Set custom encryption key
allUse a strong custom password encryption key in mRemoteNG settings to protect configuration files.
Open mRemoteNG > Tools > Options > Security > Set 'Encryption Engine' to 'AES' and provide a custom key.
Restrict memory access
windowsUse OS controls to limit who can dump memory from mRemoteNG process.
Windows: Configure process security via Group Policy or local security settings.
🧯 If You Can't Patch
- Set a strong custom encryption key in mRemoteNG and rotate all stored credentials.
- Isolate mRemoteNG to trusted systems, monitor for memory dumping activity, and consider alternative remote management tools.
🔍 How to Verify
Check if Vulnerable:
Check mRemoteNG version in Help > About; if <=1.76.20 or <=1.77.3-dev, it's vulnerable.Check Version:
On Windows: Check 'Help > About' in mRemoteNG GUI or inspect installed programs.Verify Fix Applied:
Update to v1.77.4+, verify version in Help > About, and ensure custom encryption key is set.📡 Detection & Monitoring
Log Indicators:
- Unusual process memory access events, unexpected mRemoteNG crashes or restarts.
Network Indicators:
- Anomalous connections from mRemoteNG host to new internal systems post-exploit.
SIEM Query:
Example: Process creation where parent is mRemoteNG and command includes memory dumping tools like procdump or mimikatz.🔗 References
- http://packetstormsecurity.com/files/173829/mRemoteNG-1.77.3.1784-NB-Sensitive-Information-Extraction.html
- https://github.com/S1lkys/CVE-2023-30367-mRemoteNG-password-dumper
- https://github.com/mRemoteNG/mRemoteNG/issues/2420
- https://www.secuvera.de/advisories/secuvera-SA-2023-01.txt
- http://packetstormsecurity.com/files/173829/mRemoteNG-1.77.3.1784-NB-Sensitive-Information-Extraction.html
- https://github.com/S1lkys/CVE-2023-30367-mRemoteNG-password-dumper
- https://github.com/mRemoteNG/mRemoteNG/issues/2420
- https://www.secuvera.de/advisories/secuvera-SA-2023-01.txt
