KeePass releases fix for password-leaking security bug

News
By Sead Fadilpašić
published

Users with KeePass 2.x are advised to apply the fix immediately

KeePass logo padlock
(Image credit: KeePass)

Over the weekend, the password management tool KeePass was updated to address a high-severity vulnerability which allowed threat actors to exfiltrate the master password in cleartext. 

Users with KeePass versions 2.x are advised to bring their instances to version 2.54 to eliminate the threat. Those using KeePass 1.x, Strongbox, or KeePass XC, are not vulnerable to the flaw and thus don’t need to migrate to the new version, if they don’t want to.

Those that cannot apply the patch for whatever reason should reset their master password, delete crash dumps and hibernation files, and swap files that could hold pieces of their master password. In more extreme cases, they could reinstall their operating system.

Leftover strings

In mid-May, it was announced that the password management tool was vulnerable to CVE-2023-32784, a flaw that allowed threat actors to partially extract the KeePass master password from the application’s memory dump. The master password would come in cleartext. The vulnerability was discovered by a threat researcher going by the alias “vdohney”, who also released a proof-of-concept for the flaw. 

As explained by the researcher, the problem was found in SecureTextBoxEx: “Because of the way it processes input, when the user types the password, there will be leftover strings,” they said. "For example, when "Password" is typed, it will result in these leftover strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d."

read more

> Top password manager denies its entire database can be stolen

> This vicious new malware version is now targeting password managers

> These are the best authenticator apps around

Consequently, an attacker would be able to recover almost all master password characters, even if the workspace is locked, or the program was recently shut down. 

In theory, a threat actor could deploy an infostealer or a similar malware variant to dump the program’s memory and send it, together with the password manager’s database, back to a server under the attacker’s control.

From there, they’d be able to exfiltrate the master password without being pressed for time. With password managers, a master password is used to decrypt and access the database holding all other passwords.

Via: BleepingComputer

Sead Fadilpašić
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.