CVE-2024-25140

Name of the Vulnerable Software and Affected Versions RustDesk version 1.2.3

Description A default installation of RustDesk on Windows places a WDKTestCert certificate under Trusted Root Certification Authorities with Enhanced Key Usage of Code Signing, valid from 2023 until 2033. This is potentially unwanted because there is no public documentation of security measures for the private key, and arbitrary software could be signed if the private key were to be compromised. The vendor's position is that they use a test certificate as a workaround since they do not have an EV cert. Insertion into Trusted Root Certification Authorities was the originally intended behavior, and the UI ensured that the certificate installation step was visible to the user before proceeding with the product installation.

Recommendations For RustDesk version 1.2.3, consider removing the WDKTestCert certificate from Trusted Root Certification Authorities to prevent potential misuse of the certificate for code signing. As a temporary workaround, ensure that all software installations are thoroughly verified to prevent arbitrary software from being installed using the potentially compromised certificate.