Security
Headlines
HeadlinesLatestCVEs

Headline

KeePass Vulnerability Imperils Master Passwords

A newly discovered bug in the open source password manager, if exploited, lets attackers retrieve a target’s master password — and proof-of-concept code is available.

DARKReading
#vulnerability#mac#windows#google#linux#git#perl

For the second time in recent months a security researcher has discovered a vulnerability in the widely used KeePass open source password manager.

This one affects KeePass 2.X versions for Windows, Linux, and macOS, and gives attackers a way to retrieve a target’s master password in cleartext from a memory dump — even when the user’s workspace is closed.

While KeePass’ maintainer has developed a fix for the flaw, it won’t become generally available until the release of version 2.54 (likely in early June). Meanwhile, the researcher who discovered the vulnerability — tracked as CVE-2023-32784 — has already released a proof-of-concept for it on GitHub.

“No code execution on the target system is required, just a memory dump,” the security researcher “vdhoney” said on GitHub. “It doesn’t matter where the memory comes from — can be the process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system.”

An attacker can retrieve the master password even if the local user has locked the workspace and even after KeePass is no longer running, the researcher said.

Vdhoney described the vulnerability as one that only an attacker with read access to the host’s filesystem or RAM would be able to exploit. Often, however, that does not require an attacker to have physical access to a system. Remote attackers routinely gain such access these days via vulnerability exploits, phishing attacks, remote access Trojans, and other methods.

“Unless you expect to be specifically targeted by someone sophisticated, I would keep calm,” the researcher added.

Vdhoney said the vulnerability had to do with how a KeyPass custom box for entering passwords called “SecureTextBoxEx” processes user input. When the user types a password, there are leftover strings that allow an attacker to reassemble the password in cleartext, the researcher said. “For example, when ‘Password’ is typed, it will result in these leftover strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d.”

Patch in Early June

In a discussion thread on SourceForge, KeePass maintainer Dominik Reichl acknowledged the issue and said he had implemented two enhancements to the password manager to address the problem.

The enhancements will be included in the next KeePass release (2.54), along with other security-related features, Reichel said. He initially indicated that would happen sometime in the next two months, but later revised the estimate delivery date for the new version to early June.

“To clarify, ‘within the next two months’ was meant as an upper bound,” Reichl said. “A realistic estimate for the KeePass 2.54 release probably is ‘in the beginning of June’ (i.e. 2-3 weeks), but I cannot guarantee that.”

Questions About Password Manager Security

For KeePass users, this is the second time in recent months that researchers have uncovered a security issue with the software. In February, researcher Alex Hernandez showed how an attacker with write access to KeePass’ XML configuration file could edit it in a manner as to retrieve cleartext passwords from the password database and export it silently to an attacker-controlled server.

Though the vulnerability was assigned a formal identifier (CVE-2023-24055), KeePass itself disputed that description and maintained the password manager is not designed to withstand attacks from someone that already has a high level of access on a local PC.

“No password manager is safe to use when the operating environment is compromised by a malicious actor,” KeePass had noted at the time. “For most users, a default installation of KeePass is safe when running on a timely patched, properly managed, and responsibly used Window environment.”

The new KeyPass vulnerability is likely to keep discussions around password manager security alive for some more time. In recent months, there have several incidents that have highlighted security issues related to major password manager technologies. In December, for instance, LastPass disclosed an incident where a threat actor, using credentials from a previous intrusion at the company, accessed customer data stored with a third-party cloud service provider.

In January, researchers at Google warned about password managers such as Bitwarden, Dashlane, and Safari Password Manager auto-filling user credentials without any prompting into untrusted pages.

Threat actors meanwhile have ramped up attacks against password manager products, likely as a result of such issues.

In January, Bitwarden and 1Password reported observing paid advertisements in Google search results that directed users who opened the ads to sites for downloading spoofed versions of their password managers.

Related news

KeePass Exploit Allows Attackers to Recover Master Passwords from Memory

A proof-of-concept (PoC) has been made available for a security flaw impacting the KeePass password manager that could be exploited to recover a victim's master password in cleartext under specific circumstances. The issue, tracked as CVE-2023-32784, impacts KeePass versions 2.x for Windows, Linux, and macOS, and is expected to be patched in version 2.54, which is likely to be released early

KeePass Exploit Allows Attackers to Recover Master Passwords from Memory

A proof-of-concept (PoC) has been made available for a security flaw impacting the KeePass password manager that could be exploited to recover a victim's master password in cleartext under specific circumstances. The issue, tracked as CVE-2023-32784, impacts KeePass versions 2.x for Windows, Linux, and macOS, and is expected to be patched in version 2.54, which is likely to be released early

KeePass vulnerability allows attackers to access the master password

Categories: Exploits and vulnerabilities Categories: News Categories: Personal Tags: KeePass Tags: memory dump Tags: CVE-2023-32784 There is a Proof-of-Concept available for an unpatched vulnerability in KeePass that allows attackers to dump the master password. (Read more...) The post KeePass vulnerability allows attackers to access the master password appeared first on Malwarebytes Labs.

CVE-2023-32784: KeePass / Discussion / Open Discussion: Security

In KeePass 2.x before 2.54, it is possible to recover the cleartext master password from a memory dump, even when a workspace is locked or no longer running. The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system. The first character cannot be recovered. In 2.54, there is different API usage and/or random string insertion for mitigation.

CVE-2023-24055: KeePass / Feature Requests / #2773 Improve the security of password exports

** DISPUTED ** KeePass through 2.53 (in a default installation) allows an attacker, who has write access to the XML configuration file, to obtain the cleartext passwords by adding an export trigger. NOTE: the vendor's position is that the password database is not intended to be secure against an attacker who has that level of access to the local PC.

DARKReading: Latest News

Too Much 'Trust,' Not Enough 'Verify'