Simple Security Exploit Allows Retrieval Of KeePass Master Password, Patch Inbound
In the last couple of years, the ever-popular KeePass password manager has come up in a number of articles, such as when it was recently found that passwords could be stolen through the export functionality. Now, KeePass is back in the news with a vulnerability that could allow an attacker to retrieve the master password from memory and swipe all passwords, even if the database is locked.
Assigned “CVE-2023-32784,” the vulnerability was discovered by vdohney on GitHub, who has posted a proof-of-concept exploit and a brief writeup on the vulnerability. In short, KeePass 2.53 and earlier loads the master password into memory in plaintext when it is entered via the keyboard. This means all an attacker has to do is get their hands on a memory dump regardless of if that comes from “the process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), various crash dumps or RAM dump of the entire system.”
It also does not matter if the workspace is locked, if KeePass is running, if “Enter master key on secure desktop” is enabled, or otherwise. Though not tested, this attack might also work on the macOS version of KeePass, which is equally concerning. However, this is not the end of the world, as an attacker would need read access to files or your RAM, at which point you might have bigger issues.
In any event, this vulnerability was confirmed earlier in May by KeePass’s author Dominik Reichl who has since implemented two enhancements. The first implements Windows API functions to get and set the text of the text box for the master passwords, and the second creates dummy strings in memory to somewhat obfuscate the possible password. While the former enhancement is not applicable for macOS or Linux, the latter is implemented for all platforms.
Hopefully, the next version of KeePass with these updates (2.54) will come out in the next couple of weeks, but until then, it might be worthwhile enhancing your own security for peace of mind. This could include enabling full disk encryption and running a malware scan to ensure you aren’t infected with something that could leverage this already.