CVE-2020-0765: Remote Desktop Connection Manager XXE Flaw

CVE-2020-0765 Overview

An information disclosure vulnerability exists in Microsoft Remote Desktop Connection Manager (RDCMan) when the application improperly parses XML input containing a reference to an external entity. This XML External Entity (XXE) vulnerability allows attackers to extract sensitive information from the local system by crafting malicious XML files that are processed by the application.

Critical Impact

Successful exploitation allows attackers to read arbitrary files on the local system, potentially exposing sensitive configuration data, credentials, and other confidential information stored on the victim's machine.

Affected Products

• Microsoft Remote Desktop Connection Manager (all versions)

Discovery Timeline

• 2020-03-12 - CVE-2020-0765 published to NVD
• 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2020-0765

Vulnerability Analysis

This vulnerability is classified as an XML External Entity (XXE) injection flaw. The Remote Desktop Connection Manager application processes XML configuration files without properly restricting the processing of external entity references. When a user opens a specially crafted .rdg (Remote Desktop Group) file containing malicious XML content, the application's XML parser resolves external entity references, allowing an attacker to exfiltrate local file contents.

The attack requires local access and user interaction—specifically, the victim must be convinced to open a maliciously crafted RDCMan configuration file. This makes the vulnerability particularly dangerous in scenarios involving phishing attacks or compromised file shares where users might unknowingly open untrusted RDCMan configuration files.

Root Cause

The vulnerability stems from the improper handling of XML input in the Remote Desktop Connection Manager application. The XML parser used by RDCMan does not disable external entity processing, allowing Document Type Definition (DTD) declarations to reference external resources. When the parser encounters an external entity reference in a malicious configuration file, it attempts to resolve the reference, which can include local file paths. The resolved content is then incorporated into the parsed document, enabling information disclosure.

Attack Vector

The attack requires local access to the target system and user interaction to trigger exploitation. An attacker must craft a malicious RDCMan configuration file (.rdg) containing an XXE payload that references sensitive local files. When a victim opens this file with the vulnerable RDCMan application, the XML parser processes the external entity reference, reading the contents of the specified file. The attacker can exfiltrate this data through various XXE exfiltration techniques, such as out-of-band (OOB) HTTP requests to attacker-controlled servers or by embedding the file contents within error messages.

The vulnerability can be exploited by including a malicious DTD declaration within an RDCMan configuration file that defines an external entity pointing to a local file path. When the entity is referenced within the document, the parser reads and incorporates the target file's contents. For detailed technical exploitation guidance, refer to the Microsoft Security Advisory CVE-2020-0765.

Detection Methods for CVE-2020-0765

Indicators of Compromise

• Presence of .rdg files with suspicious XML content containing DTD declarations or external entity references
• Unexpected outbound network connections from the RDCMan process (RDCMan.exe)
• File access events showing RDCMan reading unusual files outside its normal operational scope
• Error logs indicating XML parsing issues or failed external entity resolution attempts

Detection Strategies

• Monitor for RDCMan process spawning with command-line arguments pointing to untrusted file locations
• Implement file integrity monitoring on RDCMan configuration directories to detect introduction of malicious .rdg files
• Deploy endpoint detection rules that alert on XML files containing external entity declarations being processed by RDCMan
• Use network traffic analysis to identify suspicious outbound connections from RDCMan processes

Monitoring Recommendations

• Enable detailed logging for file system access by the RDCMan.exe process
• Configure SIEM rules to correlate file access events with potential data exfiltration patterns
• Monitor email attachments and downloads for .rdg files from untrusted sources
• Implement application whitelisting to control which applications can process XML files with external entities

How to Mitigate CVE-2020-0765

Immediate Actions Required

• Discontinue use of Microsoft Remote Desktop Connection Manager as Microsoft has deprecated this tool
• Migrate to Microsoft Remote Desktop (MSTSC) or other supported remote desktop management solutions
• Remove RDCMan from all systems where it is installed
• Train users to avoid opening .rdg files from untrusted sources

Patch Information

Microsoft has not released a patch for this vulnerability. Instead, Microsoft has deprecated the Remote Desktop Connection Manager application and recommends transitioning to alternative solutions. According to the Microsoft Security Advisory CVE-2020-0765, users should migrate away from RDCMan to supported Microsoft remote desktop management tools.

Workarounds

• Uninstall Remote Desktop Connection Manager from affected systems
• Use Microsoft Remote Desktop (MSTSC) as an alternative for remote desktop connections
• If RDCMan must be used temporarily, only open .rdg files from trusted sources
• Implement application control policies to restrict RDCMan execution in enterprise environments
• Consider using third-party remote desktop managers with proper XXE protections

# Uninstall Remote Desktop Connection Manager
# Using Windows Package Manager (if installed via winget)
winget uninstall "Remote Desktop Connection Manager"

# Or remove manually by deleting the application directory
# Default location: C:\Program Files (x86)\Remote Desktop Connection Manager