The popular password manager KeePass had a severe security vulnerability exposing users’ master passwords in cleartext. Following the bug report, the service patched the flaw with the subsequent KeePass release, along with numerous other feature upgrades.
KeePass Vulnerability Could Leak Master Passwords
A security researcher with alias “vdohney” found a serious security issue affecting the KeePass password manager. Specifically, exploiting the vulnerability could let an adversary to gain access to KeePass master passwords in plaintext.
As explained in the researcher’s bug report, the default KeePass settings could allow a user to extract the master password from the process memory dump. Executing this activity didn’t require code execution, nor did it receive any impact from the memory source.
Given a process memory dump, I am able to reconstruct the master password. It doesn’t matter whether the workspace is locked or not, it works regardless. The memory source also isn’t important – for example, it can be a pagefile (swap) or the hibernation file. No code execution is needed, just the memory alone.
Also, the security flaw would remain there even after locking the workspace. The researcher noted this phenomenon as violating KeePass’s claim to close the database file after locking the workspace.
Specifically, the issue existed with the SecureTextBoxEx class. After a user typed the KeePass master password, the tool would expose the master password characters in leftover strings.
Alongside sharing the details in the report, the researcher also demonstrated the flaw (CVE-2023-32784) in the proof-of-concept shared on GitHub.
KeePass Patched The Flaw
While the vulnerability seemed severe, interestingly, it didn’t affect passwords when pasted from the clipboard. Instead, it only worked with passwords typed manually. (Though, copying passwords and leaving them on the clipboard is another bad security practice.) Also, the vulnerability didn’t expose the first character of the master password but rather the following characters only.
Nonetheless, to eliminate any security risks, Dominik Reichl, KeePass’ creator and developer, addressed the issue with the latest release. As explained in his response to vdohney, KeePass now uses the Windows API functions for “getting/setting the text of the text box” instead of creating managed strings. Also, the tool now creates dummy fragments in the process memory to prevent determining the correct fragments.
The developers released these fixes with KeePass version 2.54. Besides this bug fix, the new password manager version includes several improvements and feature upgrades.
Some noteworthy changes include the storage of Triggers, global URL overrides, password generator profiles, and other settings to the enforced configuration file, adding a dialog with the “Enforce Options” setting, and enhancing the Export confirmation dialog boxes.
Now that both the vulnerability PoC and the respective patch have arrived publicly, all KeePass users must update their devices immediately with the latest KeePass releases to remain safe from potential attacks.
Let us know your thoughts in the comments.
