secuvera-SA-2023-01: Cleartext Storage of Sensitive Information in Memory of mRemoteNG Processes Affected Products mRemoteNG <=v1.76.20, <= v1.77.3.1784-NB (older/other releases have not been tested) References https://www.secuvera.de/advisories/secuvera-SA-2023-01.txt (used for updates) https://github.com/mRemoteNG/mRemoteNG/issues/2420 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-30367 https://cwe.mitre.org/data/definitions/316.html https://github.com/S1lkys/CVE-2023-30367-mRemoteNG-password-dumper https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N Summary: Multi-Remote Next Generation Connection Manager (mRemoteNG) is free software that enables users to store and manage multi-protocol connection configurations to remotely connect to systems. These configuration files can be stored in an encrypted state on disk. mRemoteNG version <= v1.76.20 and <= 1.77.3-dev loads configuration files in plain text into memory (after decrypting them if necessary) at application start-up, even if no connection has been established yet. Effect: This vulnerability allows attackers to access contents of configuration files in plaintext through a memory dump and thus compromise user credentials when no custom password encryption key has been set. This also bypasses the connection configuration file encryption setting by dumping already decrypted configurations from memory. When no custom password encryption key/password has been set, dumped configuration files can still contain encrypted passwords which can be decrypted with mRemoteNGs default key mR3m. Note: Please be aware that configuration password encryption and connection file encryption are different settings. Configuration password encryption is used to encrypt the configured connection password entry (e.g. a RDP password) within the configuration XML file only, while connection configuration file encryption is used to encrypt the whole configuration file itself. This vulnerability bypasses the Connection file encryption by dumping already decrypted configurations from memory. Configuration files can therefore be accessed in plaintext but can still contain password entries in an encrypted state which can be decrypted with mRemoteNGs default key (when no custom password encryption key/password has been set) or the custom key which has been configured by the user (which can still be bruteforced). Examples: 1) Create a new connection configuration, set hostname, username and password. 2) Enable disk file encryption for configuration files. 3) Restart mRemoteNG 4) Use Task Manager / Processhacker / Procdump or any other tool that can create minidumps of a process to create a minidump. 5) Examine the minidump file and search for "