CVE-2024-6055
📋 TL;DR
This vulnerability in Devolutions Remote Desktop Manager allows attackers who obtain exported configuration files to recover PowerShell credentials stored in data sources. It affects Windows users running version 2024.1.32.0 or earlier. The issue stems from improper removal of sensitive information during data export.
💻 Affected Systems
- Devolutions Remote Desktop Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to PowerShell credentials, potentially leading to lateral movement, privilege escalation, and complete domain compromise if credentials have high privileges.
Likely Case
Credential theft from exported configuration files, enabling unauthorized access to systems managed through Remote Desktop Manager.
If Mitigated
Limited impact with proper access controls on exported files and credential rotation.
🎯 Exploit Status
Exploitation requires physical or logical access to exported configuration files containing sensitive data.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.1.33.0 or later
Vendor Advisory: https://devolutions.net/security/advisories/DEVO-2024-0008
Restart Required: Yes
Instructions:
1. Download and install Remote Desktop Manager version 2024.1.33.0 or newer from Devolutions website. 2. Restart the application. 3. Verify the update by checking Help > About.
🔧 Temporary Workarounds
Disable data source export feature
windowsPrevent export of configuration files containing sensitive data.
Secure exported configuration files
windowsApply strict access controls and encryption to any exported configuration files.
🧯 If You Can't Patch
- Rotate all PowerShell credentials stored in Remote Desktop Manager data sources.
- Implement strict access controls on exported configuration files and monitor for unauthorized access.
🔍 How to Verify
Check if Vulnerable:
Check Remote Desktop Manager version via Help > About. If version is 2024.1.32.0 or earlier, the system is vulnerable.Check Version:
Not applicable - check via application GUI Help > About menu.Verify Fix Applied:
Verify version is 2024.1.33.0 or later via Help > About. Test data source export to confirm sensitive information is properly removed.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access to exported configuration files
- Failed attempts to access PowerShell credentials from exported files
Network Indicators:
- Unusual PowerShell credential usage from systems not managed by Remote Desktop Manager
SIEM Query:
EventID=4663 AND ObjectName LIKE '%rdm_export%' AND AccessMask='0x10000'