It has been revealed that the default installation of RustDesk 1.2.3 on Windows raises security concerns by placing a WDKTestCert certificate under Trusted Root Certification Authorities. This certificate, with an Enhanced Key Usage of Code Signing, is valid from 2023 until 2033. While the vendor explains that this is a workaround due to the absence of an EV cert, potential risks arise from the lack of public documentation on the security measures for the private key. This scenario could lead to the signing of arbitrary software if the private key were to be compromised.
Published on February 6, 2024, the advisory includes an EPSS score indicating a low probability of exploitation activity in the next 30 days. However, the critical CVSS score of 9.8 emphasizes the severity of the vulnerability. The assigned CWE id is 295, indicating improper certificate validation. The provided references, including discussions on Hacker News and GitHub, contribute to understanding the issue and tracking its technical details. Users are advised to consider the potential risks and monitor updates from RustDesk.
Reference:
