Posted on May 18, 2023 at 5:36 PM
Researchers have detected vulnerability in the popular KeePass password manager. The vulnerability is present in the master password existing on the application’s memory, and it allows attackers that have compromised a device to retrieve this password even in cases when the database is not available.
KeePass vulnerability can extract the master password
The issue in question was detected by a cybersecurity researcher known as “vdohney.” The researcher created a proof-of-concept feature that can be used by hackers to gain access to the KeePass master password from memory as a PoC.
The password manager also allows users to generate unique passwords for each online transaction, and the credentials can later be stored in a database that is easy to search or in a password vault. Users must have access to a single master password to gain access to the stored credentials.
The master password will also encrypt the KeePass password database and ensure it cannot be opened or read without keying in the password first. However, after the master password has been compromised, the threat actor will gain access to the data stored in the database.
The newly discovered vulnerability on KeePass is tracked as CVE-2023-3278. It supports the recovery of the KeePass master password but without the first one or two characters. The master password is recovered in clear text format despite whether the KeePass workspace has been locked or if the program has been closed.
A security researcher on the GitHub page for the exploit tool commented on the development, saying, “KeePass Master Password Dumper is a simple proof-of-concept tool used to dump the master password from KeePass’s memory. Apart from the first password character, it is most able to recover the password in plaintext.”
The vulnerability is present because the software will use a custom password entry box known as “SecureTextBoxEx that will leave a trace for each character that the user has keyed in the memory. The text box is used for the master password entry and other places, such as the password edit boxes.
KeePass flaw is easy to exploit
The memory dumps need to be retrieved to recover the KeePass master password. Exploiting the CVE-2023-32784 flaw will require physical access, and the target machine also has to be infected with malware.
However, a threat actor can use information-stealing malware to assess whether KeePass is present on a computer or it is running on a system. If it is running on a system, the program’s memory is dumped and then sent. The KeePass database will also go back to the attacker for the offline retrieval of a clear text password from memory.
KeePass developer, Dominik Reichl, is aware of this vulnerability. Reichl said that he obtained a bug report and has promised that a fix for the flaw on version 2.54 will be implemented in July 2023. However, Reichl also said that the KeePass version 2.54 is likely to be rolled out to users in around two weeks, and it will be out by early June.