CVE-2024-6354
📋 TL;DR
This vulnerability allows authenticated users in Devolutions Remote Desktop Manager to bypass execute permissions through the PAM dashboard. Attackers with valid credentials can perform unauthorized actions they shouldn't have permission to execute. This affects all Windows users running Remote Desktop Manager 2024.2.11 or earlier.
💻 Affected Systems
- Devolutions Remote Desktop Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could execute privileged operations, access sensitive credentials, modify configurations, or potentially pivot to other systems through the compromised PAM dashboard.
Likely Case
Malicious insiders or compromised accounts bypass permission controls to access or modify privileged credentials and connections they shouldn't have access to.
If Mitigated
With proper access controls and monitoring, unauthorized access attempts would be detected and logged, limiting damage to isolated credential exposure.
🎯 Exploit Status
Exploitation requires authenticated access but appears straightforward once authenticated. No public exploit code has been released.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.2.12 or later
Vendor Advisory: https://devolutions.net/security/advisories/DEVO-2024-0010
Restart Required: Yes
Instructions:
1. Download and install Remote Desktop Manager 2024.2.12 or later from the Devolutions website. 2. Close all Remote Desktop Manager instances. 3. Run the installer. 4. Restart the application after installation completes.
🔧 Temporary Workarounds
Restrict PAM Dashboard Access
windowsTemporarily disable or restrict access to the PAM dashboard feature for non-administrative users.
Implement Least Privilege
allReview and tighten user permissions, ensuring users only have necessary access rights.
🧯 If You Can't Patch
- Implement strict access controls and monitor all PAM dashboard usage for suspicious activity.
- Segment network access to limit potential lateral movement if credentials are compromised.
🔍 How to Verify
Check if Vulnerable:
Check the application version in Help > About. If version is 2024.2.11 or earlier, the system is vulnerable.Check Version:
In Remote Desktop Manager: Help > AboutVerify Fix Applied:
Verify the version is 2024.2.12 or later in Help > About. Test that authenticated users cannot bypass execute permissions in PAM dashboard.📡 Detection & Monitoring
Log Indicators:
- Unusual PAM dashboard access patterns
- Failed permission checks followed by successful operations
- Users accessing resources outside their normal permissions
Network Indicators:
- Unusual connection patterns from RDM clients to managed systems
SIEM Query:
source="rdm_logs" AND (event="permission_bypass" OR event="unauthorized_access")