KeePass Vulnerability Imperils Master Passwords

  /     /     /  
Publicated : 23/11/2024   Category : security


KeePass Vulnerability Imperils Master Passwords


A newly discovered bug in the open source password manager, if exploited, lets attackers retrieve a targets master password — and proof-of-concept code is available.



For the second time in recent months a security researcher has discovered a vulnerability in the widely used KeePass open source password manager.
This one affects KeePass 2.X versions for Windows, Linux, and macOS, and gives attackers a way to retrieve a targets master password in cleartext from a memory dump — even when the users workspace is closed.
While KeePass maintainer has developed a fix for the flaw, it wont become generally available until the release of version 2.54 (likely in early June). Meanwhile, the researcher who discovered the vulnerability — tracked as
CVE-2023-32784
— has already
released a proof-of-concept
for it on GitHub.
No code execution on the target system is required, just a memory dump, the security researcher vdhoney said on GitHub. It doesnt matter where the memory comes from — can be the process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system.
An attacker can retrieve the master password even if the local user has locked the workspace and even after KeePass is no longer running, the researcher said.
Vdhoney described the vulnerability as one that only an attacker with read access to the hosts filesystem or RAM would be able to exploit. Often, however, that does not require an attacker to have physical access to a system. Remote attackers routinely gain such access these days via vulnerability exploits, phishing attacks, remote access Trojans, and other methods.
Unless you expect to be specifically targeted by someone sophisticated, I would keep calm, the researcher added.
Vdhoney said the vulnerability had to do with how a KeyPass custom box for entering passwords called SecureTextBoxEx processes user input. When the user types a password, there are leftover strings that allow an attacker to reassemble the password in cleartext, the researcher said. For example, when Password is typed, it will result in these leftover strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d.
In a
discussion thread on SourceForge
, KeePass maintainer Dominik Reichl acknowledged the issue and said he had implemented two enhancements to the password manager to address the problem.
The enhancements will be included in the next KeePass release (2.54), along with other security-related features, Reichel said. He initially indicated that would happen sometime in the next two months, but later revised the estimate delivery date for the new version to early June.
To clarify, within the next two months was meant as an upper bound, Reichl said. A realistic estimate for the KeePass 2.54 release probably is in the beginning of June (i.e. 2-3 weeks), but I cannot guarantee that.
For KeePass users, this is the second time in recent months that researchers have uncovered a security issue with the software. In February, researcher Alex Hernandez
showed how an attacker
with write access to KeePass XML configuration file could edit it in a manner as to retrieve cleartext passwords from the password database and export it silently to an attacker-controlled server.
Though the vulnerability was assigned a formal identifier (
CVE-2023-24055
), KeePass itself
disputed that description
and maintained the password manager is not designed to withstand attacks from someone that already has a high level of access on a local PC.
No password manager is safe to use when the operating environment is compromised by a malicious actor, KeePass had noted at the time. For most users, a default installation of KeePass is safe when running on a timely patched, properly managed, and responsibly used Window environment.
The new KeyPass vulnerability is likely to keep discussions around password manager security alive for some more time. In recent months, there have several incidents that have highlighted security issues related to major password manager technologies. In December, for instance,
LastPass disclosed an incident
where a threat actor, using credentials from a previous intrusion at the company, accessed customer data stored with a third-party cloud service provider.
In January,
researchers at Google
warned about password managers such as Bitwarden, Dashlane, and Safari Password Manager auto-filling user credentials without any prompting into untrusted pages.
Threat actors meanwhile have ramped up attacks against password manager products, likely as a result of such issues.
In January,
Bitwarden and 1Password reported observing
paid advertisements in Google search results that directed users who opened the ads to sites for downloading spoofed versions of their password managers.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
KeePass Vulnerability Imperils Master Passwords