CVE-2024-25140: 
NixOS vulnerability analysis and mitigation

A default installation of RustDesk 1.2.3 on Windows places a WDKTestCert certificate under Trusted Root Certification Authorities with Enhanced Key Usage of Code Signing (1.3.6.1.5.5.7.3.3), valid from 2023 until 2033. This certificate is a self-signed test certificate by an anonymous ID 'WDKTestCert admin,133225435702113567' that uses SHA-1 with RSA 2048, which is considered weak for the 10-year validity period (GitHub Discussion).

The vulnerability involves two certificates: a test certificate (fingerprint: d1dbb672d5a500b9809689caea1ce49e799767f0) installed in the system ROOT-CERTSTORE, and a different certificate (fingerprint: b27892e774a8cbe382ba7ddcf4649a723b6532d8) used for signing the RustDeskIddDriver.dll. The test certificate is installed with all purposes enabled, rather than being restricted to code signing only. The certificate uses SHA-1 with RSA 2048, which is considered cryptographically weak for long-term use (GitHub Discussion).

The installation of a test certificate in the Trusted Root Certification Authorities store with all purposes enabled could potentially allow for unauthorized code signing if the private key were to be compromised. This could enable malicious actors to sign and execute arbitrary software on affected systems (GitHub Discussion).

The RustDesk team has addressed this issue by removing their virtual display driver and associated certificate. They have switched to using usbmmidd_v2, which is signed and verified by Microsoft. Users are advised to update to the latest version of RustDesk that implements these changes (GitHub Discussion).

The security community has expressed significant concerns about this practice, with discussions emerging on platforms like Hacker News. Security researchers have questioned the necessity of installing a test certificate with such broad permissions, and some users have reported removing the software until the situation was clarified (HN Discussion).