And overall, RDCMan - even by Microsoft’s admission - was always a very basic tool and never designed to handle sophisticated functions like utilizing 2FA, managing privileged accounts, securing sensitive data, generating strong passwords, creating audit logs, and so on. Plus, RDCMan only worked in Windows deployments. For example, it lacked many of the time-saving integrations available in other (and better) alternatives. Here’s what ZDNet said about Microsoft’s response to the problem: “Instead of fixing the bug, Microsoft decided to retire RDCMan, seeing no reason to revive an app that received its last update almost six years ago.” Limited FunctionalityĮven before this major vulnerability was discovered, many users found RDCMan frustrating and limited. To exploit the vulnerability, an attacker could create an RDG file containing specially crafted XML content and convince an authenticated user to open the file.
An attacker who successfully exploited this vulnerability could read arbitrary files via an XML external entity (XXE) declaration. Here is the bulletin:Īn information disclosure vulnerability exists in the Remote Desktop Connection Manager (RDCMan) application when it improperly parses XML input containing a reference to an external entity. In March, Microsoft announced that it was discontinuing Remote Desktop Connection Manager (RDCMan) due to a major security flaw ( CVE-2020-0765).
0 kommentar(er)
