CVE CyberSecurity Database News

CVE-2023-4373 - Breaking Permissions in Devolutions Remote Desktop Manager with Remote Tools and Macros

Poster -

*Published: July 2024 - By Security Tech Blog*


Devolutions Remote Desktop Manager (RDM) is a popular tool for managing remote connections and credentials, used by thousands of IT pros daily. But sometimes, security in such tools can go wrong in dangerous ways. One recent example is CVE-2023-4373. This vulnerability, which affects RDM versions up to 2023.2.19, opens the door for regular users to bypass important permissions and perform actions they shouldn't. Let's dive deep, look at a simple proof-of-concept (PoC), and explain everything so no IT admin misses this red flag.

What is CVE-2023-4373?

CVE-2023-4373 is a security flaw that comes down to “inadequate validation of permissions” when using remote tools and macros through RDM. In plain language: RDM failed to make sure that only authorized users could initiate connections or run remote tools. This lets an attacker with access to the RDM interface do things they don’t have the right to do, like initiating a remote connection or executing a macro even if the administrator tried to block them.

How Does the Attack Work?

The bug is all about the remote tools feature. For example, suppose your company configures RDM to only let admins run certain remote tools (like running PowerShell scripts or executing macros on a remote server). A normal user should be blocked by those central policies.

But in RDM versions up to 2023.2.19, there are gaps in the way permissions are checked. Instead of verifying at every step whether the user is authorized, RDM sometimes skips or wrongly implements these checks—especially when the feature is accessed via macros or scripts. That means a clever user can force the tool to execute remote connections or commands the admin didn’t allow.

Exploiting the Vulnerability: Practical Example

Here’s what a proof-of-concept attack might look like. Suppose a restricted user has access to RDM, but their role *should* prevent them from connecting to “ServerA” using PowerShell Remote.

Create a macro in RDM that contains a connection command

# Example Macro (cmd type)
powershell.exe -Command "Invoke-Command -ComputerName ServerA -ScriptBlock { Get-Process }"

Step 2: Attaching the Macro

Attach this macro to any RDM entry the user *can* access, like another test server or their own machine.

Step 3: Execution

Because of the permission bypass, when they run the macro—even if they shouldn’t have permissions—RDM doesn’t stop them. The command is executed on ServerA, and the user gets process info from a server they shouldn’t even be able to touch.

Step 4: Automation

Advanced attackers could automate this using RDM’s scripting features or via custom tools, allowing all sorts of privilege escalations, data leaks, or lateral movement.

Here’s a snippet demonstrating the vulnerable flow

# PowerShell Macro (abused permissions)
$server = "ServerA"
Invoke-Command -ComputerName $server -ScriptBlock { Get-LocalUser } # Returns list of local users

Even when user policy intends to block access, this macro runs due to the bug.

Escalation Risk: Local privilege escalation and lateral movement opportunities for attackers.

If you use RDM to segment who can access which remote resources, CVE-2023-4373 may break your security design.

References and More Reading

- Devolutions Security Advisories
- CVE-2023-4373 on NVD
- Remote Desktop Manager Official Site

Mitigation and Update

The fix is simple: Update to Remote Desktop Manager 2023.2.20 or later. Devolutions has patched the problem and now properly checks permissions before executing remote tools or macros.

Workaround for legacy users: Restrict access to macro and remote tool creation, and monitor usage logs for unexpected connection attempts.

Final Thoughts

IT professionals rely on tools like Devolutions Remote Desktop Manager to *enforce* security, not to poke holes in it. If you’re still on an affected version, patch now or risk giving too much power to the wrong person. Always test and review permission controls, and stay on top of vendor advisories.

Stay safe, patch often, and monitor your remote access environments!

*If you found this writeup useful, follow us for more easy-to-understand security breakdowns and live updates on the latest vulnerabilities.*

Timeline

Published on: 08/21/2023 19:15:00 UTC
Last modified on: 08/25/2023 17:57:00 UTC