Jump to content
  • KeePass v2.54 fixes bug that leaked cleartext master password


    Karlston

    • 864 views
    • 3 minutes
     Share


    • 864 views
    • 3 minutes

    KeePass has released version 2.54, fixing the CVE-2023-32784 vulnerability that allows the extraction of the cleartext master password from the application's memory.

     

    When creating a new KeePass password manager database, users must create a master password, which is used to encrypt the database. When opening the database in the future, users are required to enter this master key to decrypt it and access the credentials stored within it.

     

    However, in May 2023, security researcher 'vdohney' disclosed a vulnerability and proof-of-concept exploit that allowed you to partially extract the cleartext KeepPass master password from a memory dump of the application.

     

    "The problem is with SecureTextBoxEx. Because of the way it processes input, when the user types the password, there will be leftover strings," explained vdohney in a KeePass bug report.

     

    "For example, when "Password" is typed, it will result in these leftover strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d."

     

    This dumper allows users to recover almost all master password characters apart from the first one or two, even if the KeePass workspace is locked or the program was closed recently.

     

    recovered-keepass-master-password.jpg

    Extracting most of the KeePass master passwordSource: BleepingComputer

     

    Information-stealing malware or threat actors could use this technique to dump the program's memory and send it and the KeePass database back to a remote server for offline retrieval of the cleartext password from the memory dump. Once the password is retrieved, they can open the KeePass password database and access all the saved account credentials.

     

    KeePass's creator and main developer, Dominik Reichl, acknowledged the flaw and promised to release a fix soon, having already implemented an effective solution being tested in beta builds.

    KeePass 2.5.4 fixes vulnerability

    Over the weekend, Reichl released KeePass 2.54 sooner than expected, and all users of the 2.x branch are strongly recommended to upgrade to the new version.

     

    Users of KeePass 1.x, Strongbox, or KeePassXC are not impacted by CVE-2023-32784 and, thus, do not need to migrate to a newer release.

     

    To fix the vulnerability, KeePass is now using a Windows API to set or retrieve data from text boxes, preventing the creation of managed strings that can potentially be dumped from memory.

     

    Reichl also introduced "dummy strings" with random characters into the memory of the KeePass process to make it harder to retrieve fragments of the password from memory and combine them into a valid master password.

     

    KeePass 2.5.4 also introduces other security enhancements, such as moving 'Triggers,' 'Global URL overrides,' and 'Password generator profiles' into the enforced configuration file, which provides additional security from attacks that modify the KeePass configuration file.

     

    If the triggers, overrides, and profiles aren't stored in the enforced config because they were created using a previous version, they will be disabled automatically in 2.54, and users will have to manually activate them from the 'Tools' settings menu.

     

    Users who cannot upgrade to KeePass 2.54 are recommended to reset their master password, delete crash dumps, hibernation files, and swap files that might contain fragments of their master password, or perform a fresh OS install.

     

    Keep in mind that the issue impacts only passwords typed in the program's input forms, so if the credentials are copied and pasted into the boxes, no data-leaking strings are created in memory.

     

     

    KeePass v2.54 fixes bug that leaked cleartext master password

     


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...