CVE-2024-6057
📋 TL;DR
This vulnerability allows attackers who have already compromised access to a Devolutions Remote Desktop Manager instance to bypass the vault master password protection using the offline mode feature. It affects organizations using RDM for credential management, potentially exposing stored passwords and sensitive connection data. The attacker needs initial access to the system but can then escalate privileges to access protected vault contents.
💻 Affected Systems
- Devolutions Remote Desktop Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all credentials stored in RDM vaults, leading to lateral movement across the network, data exfiltration, and potential domain takeover if privileged credentials are stored.
Likely Case
Attacker with initial access to an RDM user's workstation can extract stored passwords and connection details, enabling further credential theft and unauthorized access to systems managed through RDM.
If Mitigated
With proper access controls and monitoring, impact is limited to the specific compromised user's stored credentials rather than organization-wide credential exposure.
🎯 Exploit Status
Exploitation requires initial access to the system but is straightforward once that access is obtained. The vulnerability is in the authentication bypass mechanism itself.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.1.32.0 or later
Vendor Advisory: https://devolutions.net/security/advisories/DEVO-2024-0008
Restart Required: Yes
Instructions:
1. Download and install RDM version 2024.1.32.0 or later from Devolutions website. 2. Close all RDM instances. 3. Run the installer. 4. Restart the application.
🔧 Temporary Workarounds
Disable offline mode
windowsPrevent use of offline mode feature which is required for exploitation
Not applicable - configuration setting in RDM
Restrict RDM access
allLimit who can access RDM instances through user permissions and network segmentation
🧯 If You Can't Patch
- Implement strict access controls to limit who can access systems with RDM installed
- Enable detailed logging and monitoring for RDM access and vault usage patterns
🔍 How to Verify
Check if Vulnerable:
Check RDM version in Help > About. If version is 2024.1.31.0 or earlier, the system is vulnerable.Check Version:
In RDM: Help > About shows version numberVerify Fix Applied:
Verify RDM version is 2024.1.32.0 or later in Help > About menu.📡 Detection & Monitoring
Log Indicators:
- Multiple failed vault authentication attempts followed by successful offline mode access
- Unusual patterns of vault access from unexpected user accounts or systems
Network Indicators:
- Unusual RDM-related network traffic patterns to credential storage locations
SIEM Query:
EventID=4624 (successful logon) followed by RDM process execution and vault access patterns within short time window