For the second time in recent months a security researcher has discovered a vulnerability in the widely used KeePass open source password manager.
This one affects KeePass 2.X versions for Windows, Linux, and macOS, and gives attackers a way to retrieve a target’s master password in cleartext from a memory dump — even when the user’s workspace is closed.
While KeePass’ maintainer has developed a fix for the flaw, it won’t become generally available until the release of version 2.54 (likely in early June). Meanwhile, the researcher who discovered the vulnerability — tracked as CVE-2023-32784 — has already released a proof-of-concept for it on GitHub.
“No code execution on the target system is required, just a memory dump,” the security researcher “vdhoney” said on GitHub. “It doesn’t matter where the memory comes from — can be the process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system.”
An attacker can retrieve the master password even if the local user has locked the workspace and even after KeePass is no longer running, the researcher said.
Vdhoney described the vulnerability as one that only an attacker with read access to the host’s filesystem or RAM would be able to exploit. Often, however, that does not require an attacker to have physical access to a system. Remote attackers routinely gain such access these days via vulnerability exploits, phishing attacks, remote access Trojans, and other methods.
“Unless you expect to be specifically targeted by someone sophisticated, I would keep calm,” the researcher added.
Vdhoney said the vulnerability had to do with how a KeyPass custom box for entering passwords called “SecureTextBoxEx” processes user input. When the user types a password, there are leftover strings that allow an attacker to reassemble the password in cleartext, the researcher said. “For example, when ‘Password’ is typed, it will result in these leftover strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d.”
Patch in Early June
In a discussion thread on SourceForge, KeePass maintainer Dominik Reichl acknowledged the issue and said he had implemented two enhancements to the password manager to address the problem.
The enhancements will be included in the next KeePass release (2.54), along with other security-related features, Reichel said. He initially indicated that would happen sometime in the next two months, but later revised the estimate delivery date for the new version to early June.
“To clarify, ‘within the next two months’ was meant as an upper bound,” Reichl said. “A realistic estimate for the KeePass 2.54 release probably is ‘in the beginning of June’ (i.e. 2-3 weeks), but I cannot guarantee that.”
Questions About Password Manager Security
For KeePass users, this is the second time in recent months that researchers have uncovered a security issue with the software. In February, researcher Alex Hernandez showed how an attacker with write access to KeePass’ XML configuration file could edit it in a manner as to retrieve cleartext passwords from the password database and export it silently to an attacker-controlled server.
Though the vulnerability was assigned a formal identifier (CVE-2023-24055), KeePass itself disputed that description and maintained the password manager is not designed to withstand attacks from someone that already has a high level of access on a local PC.
“No password manager is safe to use when the operating environment is compromised by a malicious actor,” KeePass had noted at the time. “For most users, a default installation of KeePass is safe when running on a timely patched, properly managed, and responsibly used Window environment.”
The new KeyPass vulnerability is likely to keep discussions around password manager security alive for some more time. In recent months, there have several incidents that have highlighted security issues related to major password manager technologies. In December, for instance, LastPass disclosed an incident where a threat actor, using credentials from a previous intrusion at the company, accessed customer data stored with a third-party cloud service provider.
In January, researchers at Google warned about password managers such as Bitwarden, Dashlane, and Safari Password Manager auto-filling user credentials without any prompting into untrusted pages.
Threat actors meanwhile have ramped up attacks against password manager products, likely as a result of such issues.
In January, Bitwarden and 1Password reported observing paid advertisements in Google search results that directed users who opened the ads to sites for downloading spoofed versions of their password managers.