0

RDCMan Download Removed

A perennial favourite subject on the blog has been the topic of Remote Desktop Connection Manager (RDCMan).  This was an internal Microsoft tool which was made available to customers.  Initially version 2.2 then version 2.7 was released.

However the tool was de-emphasised last year, and the guidance was offered to use the Universal or MSTSC.  This was:

Use MSTSC or universal Remote Desktop client instead of RDCMan in Windows 10

RDCMan De-Emphasised

On top of the de-emphasis, a security issue was discovered with RDCMan and disclosed here:

CVE-2020-0765 | Remote Desktop Connection Manager Information Disclosure Vulnerability

From the advisory:

An information disclosure vulnerability exists in the Remote Desktop Connection Manager (RDCMan) application when it improperly parses XML input containing a reference to an external entity. An attacker who successfully exploited this vulnerability could read arbitrary files via an XML external entity (XXE) declaration.

To exploit the vulnerability, an attacker could create an RDG file containing specially crafted XML content and convince an authenticated user to open the file.

 

FAQ

Where do I find the update for Remote Desktop Connection Manager (RDCMan)?

Microsoft is not planning on fixing this vulnerability in RDCMan and has deprecated the application. Microsoft recommends using supported Remote Desktop clients and exercising caution when opening RDCMan configuration files (.rdg).

 

Cheers,

Rhoderick

Rhoderick Milne [MSFT]

Leave a Reply

Your email address will not be published. Required fields are marked *