The password manager KeePass, trusted by many, has been found to house a potential security flaw. This vulnerability, given specific conditions, could allow malefactors to recover a user’s master password straight from the system’s memory.
Probing the vulnerability
The flaw, marked as CVE-2023-32784, impacts KeePass 2.x versions across Windows, Linux, and macOS. KeePass plans to rectify this issue in the forthcoming version 2.54, due for release early next month.
“vdohney,” the security researcher who unearthed this flaw and proceeded to create a proof-of-concept (PoC), stated that it’s possible to recover most of the password in plaintext, except for the first character. Importantly, he noted that exploiting this flaw doesn’t necessitate any code execution on the target system – a mere memory dump will suffice.
The researcher went on to say that the origin of the memory is irrelevant to the exploit. There remains a possibility to extract the password from RAM even after KeePass has been shut down, although this probability diminishes with time.
Crucially, for a successful exploitation, the target’s device would already need to be compromised. Moreover, the password must be keyed in and not pasted from a device’s clipboard.
Root cause of the vulnerability
The cause of this vulnerability, according to vdohney, lies in the handling of user data by a custom text box field designed for master password entry. This process appears to leave a memory trace of each character keyed in.
This sets up a situation where an attacker could potentially dump the program’s memory and subsequently reconstruct the password. Except for the first character, the rest of the assembled password would be in plaintext. Users are strongly recommended to update to KeePass 2.54 when it becomes available.
Placing the flaw in context
The exposure of this flaw follows the recent discovery of another medium-severity flaw in KeePass (CVE-2023-24055). That vulnerability could potentially be exploited to retrieve plaintext passwords from the password database by leveraging write access to the software’s XML configuration file.
Google’s security research previously reported similar vulnerabilities in other password managers like Bitwarden, Dashlane, and Safari. However, KeePass maintains a different stance. They argue that their password database doesn’t aim to provide security against an attacker who has such high-level access to the local PC.
This certainly makes the cybersecurity scenario more intricate, doesn’t it, dear readers? We’d love to hear your perspectives on this matter. Please feel free to share your insights in the comment section below!
{{user}} {{datetime}}
{{text}}