Update 26-4-2021: RDCMan is now available again!
Rejoice and be thankful – see this post for more details please. I’ll leave the post below for historical context.
A perennial favourite subject on the blog has been the topic of Remote Desktop Connection Manager (RDCMan). This was an internal Microsoft tool which was made available to customers. Initially version 2.2 then version 2.7 was released.
However the tool was de-emphasised last year, and the guidance was offered to use the Universal or MSTSC. This was:
On top of the de-emphasis, a security issue was discovered with RDCMan and disclosed here:
From the advisory:
An information disclosure vulnerability exists in the Remote Desktop Connection Manager (RDCMan) application when it improperly parses XML input containing a reference to an external entity. An attacker who successfully exploited this vulnerability could read arbitrary files via an XML external entity (XXE) declaration.
To exploit the vulnerability, an attacker could create an RDG file containing specially crafted XML content and convince an authenticated user to open the file.
Where do I find the update for Remote Desktop Connection Manager (RDCMan)?
Microsoft is not planning on fixing this vulnerability in RDCMan and has deprecated the application. Microsoft recommends using supported Remote Desktop clients and exercising caution when opening RDCMan configuration files (.rdg).