A recent security vulnerability has been found in KeePass, a widely used password manager application. The flaw allows threat actors to access the master password from the memory of the app. This means that attackers can retrieve the password even when the database is locked, putting user data at risk if a device is compromised.
The vulnerability was discovered by a security researcher named “vdohney” who identified the flaw as CVE-2023-3278. The researcher also developed a proof-of-concept tool called KeePass Master Password Dumper to demonstrate how attackers can extract the KeePass master password from memory.
Password managers are designed to generate unique passwords for each account and store them securely, eliminating the need for users to memorize multiple passwords. However, to ensure the security of the password vault, users need to remember a single master password that encrypts the KeePass database, restricting access to stored credentials.
If the master password is compromised, unauthorized individuals could gain unrestricted access to all the credentials stored within the database, posing a serious threat. Therefore, users must prioritize safeguarding their master password and refrain from sharing it with others.
The vulnerability, CVE-2023-3278, allows for retrieving the KeePass master password in clear text form, except for the first few characters, regardless of the locked workspace. This enables recovery of most of the passwords in plaintext form. A memory dump from various sources, such as process dump, swap file, hibernation file, or RAM dump, can be utilized without requiring code execution on the target system.
The flaw stems from KeePass 2.X’s usage of a custom password entry box called “SecureTextBoxEx,” which inadvertently stores traces of user-typed characters in memory, posing a risk for recovering passwords not only for the master password but also for other password edit boxes within KeePass.
The vulnerability affects KeePass 2.53.1 and potentially its forks. However, it seems that the flaw doesn’t affect KeePassXC, Strongbox, or KeePass 1.X. The exploit is not limited to Windows and can be adapted for Linux and macOS since it stems from how KeePass handles user input rather than being OS-specific.
To secure your app, experts recommend changing your master password immediately, deleting the hibernation file, deleting the pagefile/swapfile, overwriting the deleted data on the HDD to prevent carving, and finally, restarting your system.
As a global leader in providing IT management software, ManageEngine offers an all-in-one Patch Manager Plus that simplifies the patch management process, helps to secure endpoints, and mitigates cybersecurity threats, thereby ensuring that organizations can use KeePass securely.