CVE-2024-11671
📋 TL;DR
This vulnerability allows authenticated users in Devolutions Remote Desktop Manager to bypass multi-factor authentication (MFA) by switching data sources. It affects Windows installations of Remote Desktop Manager 2024.3.17 and earlier versions where SQL data sources with MFA are configured.
💻 Affected Systems
- Devolutions Remote Desktop Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated malicious insider could bypass MFA entirely, gaining unauthorized access to sensitive remote connections and credentials stored in the database.
Likely Case
Authenticated users with legitimate access but limited privileges could elevate their access by bypassing MFA requirements for sensitive data sources.
If Mitigated
With proper network segmentation and least privilege access controls, the impact is limited to the specific user's authorized access scope.
🎯 Exploit Status
Exploitation requires authenticated access to the Remote Desktop Manager application and knowledge of the data source switching functionality.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.3.18 or later
Vendor Advisory: https://devolutions.net/security/advisories/DEVO-2024-0016
Restart Required: Yes
Instructions:
1. Download and install Remote Desktop Manager 2024.3.18 or later from the Devolutions website. 2. Close all Remote Desktop Manager instances. 3. Run the installer. 4. Restart the application.
🔧 Temporary Workarounds
Disable SQL Data Source MFA
windowsTemporarily disable MFA for SQL data sources until patching is possible
Open Remote Desktop Manager > Administration > Data Sources > Select SQL data source > Security tab > Disable MFA
Use File-Based Data Sources
windowsSwitch from SQL data sources to file-based data sources which are not vulnerable
Export data from SQL source > Create new file-based data source > Import data
🧯 If You Can't Patch
- Implement strict access controls and monitor user activity within Remote Desktop Manager
- Segment network access to SQL database servers and implement additional authentication layers
🔍 How to Verify
Check if Vulnerable:
Check Help > About in Remote Desktop Manager. If version is 2024.3.17 or earlier and using SQL data sources with MFA, you are vulnerable.Check Version:
In Remote Desktop Manager: Help > AboutVerify Fix Applied:
After updating, verify version is 2024.3.18 or later in Help > About. Test MFA enforcement when switching between SQL data sources.📡 Detection & Monitoring
Log Indicators:
- Multiple failed MFA attempts followed by successful authentication
- Rapid data source switching events
- Authentication events without corresponding MFA validation
Network Indicators:
- Unusual SQL database access patterns from Remote Desktop Manager clients
- Authentication requests bypassing expected MFA flow
SIEM Query:
source="rdm_logs" AND (event_type="data_source_switch" AND mfa_bypass="true") OR (auth_success AND NOT mfa_validation)