KeePass Vulnerability Discovered « Giveaway of the Day Forums

Back to Giveaway of the Day

Giveaway of the Day Forums » Technical notes

KeePass Vulnerability Discovered

(2 posts) (1 voice)

Started 1 year ago by mikiem2
Latest reply from mikiem2

mikiem2
Moderator

bleepingcomputer[.]com/news/security/keepass-exploit-helps-retrieve-cleartext-master-password-fix-coming-soon/

The issue does not effect the earlier 1.x versions [I use the portable version 1.41], & was discovered by a researcher who [IMHO irresponsibly (Idgit)] also released a Proof Of Concept [POF] app to show how to exploit the bug, making it so much easier for cyber criminals. There is a Beta build of KeePass that fixes the problem - keepass[.]info/filepool/KeePass_230507.zip - with a regular version update expected soon.

A new KeePass vulnerability tracked as CVE-2023-3278 makes it possible to recover the KeePass master password, apart from the first one or two characters, in cleartext form, regardless of whether the KeePass workspace is locked, or possibly, even if the program is closed.

"No code execution on the target system is required, just a memory dump. It doesn't matter where the memory comes from - can be the process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys) or RAM dump of the entire system. It doesn't matter whether or not the workspace is locked."

Posted 1 year ago #
mikiem2
Moderator

bleepingcomputer[.]com/news/security/keepass-v254-fixes-bug-that-leaked-cleartext-master-password/

Over the weekend, Reichl released KeePass 2.54 sooner than expected, and all users of the 2.x branch are strongly recommended to upgrade to the new version.

Users of KeePass 1.x, Strongbox, or KeePassXC are not impacted by CVE-2023-32784 and, thus, do not need to migrate to a newer release.

To fix the vulnerability, KeePass is now using a Windows API to set or retrieve data from text boxes, preventing the creation of managed strings that can potentially be dumped from memory.

Reichl also introduced "dummy strings" with random characters into the memory of the KeePass process to make it harder to retrieve fragments of the password from memory and combine them into a valid master password.

KeePass 2.5.4 also introduces other security enhancements, such as moving 'Triggers,' 'Global URL overrides,' and 'Password generator profiles' into the enforced configuration file, which provides additional security from attacks that modify the KeePass configuration file.

If the triggers, overrides, and profiles aren't stored in the enforced config because they were created using a previous version, they will be disabled automatically in 2.54, and users will have to manually activate them from the 'Tools' settings menu.

Users who cannot upgrade to KeePass 2.54 are recommended to reset their master password, delete crash dumps, hibernation files, and swap files that might contain fragments of their master password, or perform a fresh OS install.

Keep in mind that the issue impacts only passwords typed in the program's input forms, so if the credentials are copied and pasted into the boxes, no data-leaking strings are created in memory.

Posted 1 year ago #

RSS feed for this topic

Reply

You must log in to post.