A security vulnerability affecting Keepass 2.X versions for Windows, Linux and macOS gives attackers a way to extract a target’s master password in clear text from a memory dump, regardless of whether the user’s workspace is open or closed. While Keepass has already developed a fix for the problem, it won’t be pushed until version 2.54 which is likely to arrive in early June 2023.
In the meantime, the security researcher who discovered the vulnerability has already uploaded a proof-of-concept exploit on Github. The vulnerability is being tracked as CVE-2023-32784, although no CVSS score has been assigned to it yet.
The security researcher, who goes by the name vdohney on Sourceforge forums failed to find a contact for responsible disclosure and hence posted the issue on the Sourceforge forums itself. According to the post, the exploit doesn’t even require any code execution. All that’s needed to extract the password is a process memory dump, regardless of the source.
Now the reason Keepass isn’t rushing to fix this vulnerability is because it might not be considered a problem at all. However, that would make the following statement from Keepass incorrect: “When locking the workspace, KeePass closes the database file and only remembers its path and certain view parameters. This provides maximum security: unlocking the workspace is as hard as opening the database file the normal way.”
vdohney further explains in his Github POC notes that the threat of the vulnerability depends on the end user’s threat model. If your PC is already infected with malware that’s running in the background with root or admin privileges, the vulnerability doesn’t make the situation any worse. However, if you find yourself in a position where your machine could be accessed and can face a forensic analysis, the vulnerability will reveal your master Keepass password rather easily.
While this issue in specific might not be worrisome for Keepass users, this is the second time in 2023 that a security vulnerability affecting the password manager has surfaced. In February, researcher Alex Hernandez discovered that an attacker with write access to Keepass’ XML configuration file could edit it in a specific way to extract cleartext passwords from the database and export the data to an attacker-controlled server.
While the vulnerability did get a formal identifier, being tracked as CVE-2023-24055, Keepass has since argued that the password manager isn’t designed to withstand attacks from someone who already has high-level access on a local machine.
Also read: Apple bans employees from using ChatGPT and other AI chatbots