A security researcher has identified a vulnerability in the popular KeePass open source password manager for the second time in recent months. The latest issue, tracked as CVE-2023-32784, affects KeePass 2.X versions on Windows, Linux, and macOS, and enables attackers to obtain a user's master password in cleartext from a memory dump, even when the user's workspace is locked. KeePass' maintainer has developed a fix for the flaw, but it will not be generally available until the release of version 2.54, expected in early June. The researcher who discovered the vulnerability, known as "vdhoney," has already released a proof-of-concept for it on GitHub.
"No code execution on the target system is required, just a memory dump," vdhoney said on GitHub. "It doesn't matter where the memory comes from — can be the process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system." The master password can be retrieved even if the local user has locked the workspace and even after KeePass is no longer running, according to the researcher. The vulnerability can only be exploited by an attacker with read access to the host's filesystem or RAM, but this does not necessarily require physical access to the system. Remote attackers can often gain such access through vulnerability exploits, phishing attacks, remote access Trojans, and other methods. "Unless you expect to be specifically targeted by someone sophisticated, I would keep calm," vdhoney added.
The vulnerability is related to how KeePass' custom box for entering passwords, called "SecureTextBoxEx," processes user input. When a user types a password, leftover strings allow an attacker to reassemble the password in cleartext, the researcher explained. In a discussion thread on SourceForge, KeePass maintainer Dominik Reichl acknowledged the issue and said he had implemented two enhancements to address the problem. These enhancements will be included in the next KeePass release (2.54), along with other security-related features. Reichl initially estimated the release would happen within two months but later revised the delivery date to early June.
This is the second time in recent months that researchers have uncovered a security issue with KeePass. In February, researcher Alex Hernandez demonstrated how an attacker with write access to KeePass' XML configuration file could edit it to retrieve cleartext passwords from the password database and silently export them to an attacker-controlled server. This vulnerability was assigned the identifier CVE-2023-24055. KeePass disputed the description, arguing that no password manager is safe to use when the operating environment is compromised by a malicious actor.
The new KeePass vulnerability is likely to fuel ongoing discussions about password manager security. In recent months, several incidents have highlighted security issues with major password manager technologies. For example, LastPass disclosed an incident in December where a threat actor accessed customer data using credentials from a previous intrusion. In January, Google researchers warned about password managers such as Bitwarden, Dashlane, and Safari Password Manager auto-filling user credentials into untrusted pages without prompting. Threat actors have also increased attacks against password manager products, likely due to these issues. In January, Bitwarden and 1Password reported observing paid advertisements in Google search results that directed users to sites for downloading spoofed versions of their password managers.