KeePass has recently launched version 2.54, which addresses the CVE-2023-3278 vulnerability. This vulnerability enabled the extraction of cleartext master passwords from the memory of the application. When users create a new KeePass password manager database, they are required to set a master password, which is then used to encrypt the database. To decrypt the database and access the stored credentials, users must enter the master password.
In May 2023, a security researcher named 'vdohney' reported a vulnerability and provided a proof-of-concept exploit that made it possible to partially extract the cleartext KeePass master password from a memory dump of the application. As vdohney explained in a KeePass bug report, "The problem is with SecureTextBoxEx. Because of the way it processes input, when the user types the password, there will be leftover strings." The researcher further explained that the dumper enables users to recover almost all characters of the master password except for the first one or two, even if the KeePass workspace is locked or the program was recently closed.
Malware or threat actors could exploit this technique to dump the program's memory and send it along with the KeePass database to a remote server for offline retrieval of the cleartext password from the memory dump. Once they obtain the password, they can open the KeePass password database and access all the saved account credentials. Dominik Reichl, the creator and main developer of KeePass, acknowledged the flaw and promised to release a fix soon. He had already implemented an effective solution being tested in beta builds.
Over the weekend, Reichl released KeePass 2.54 sooner than anticipated, and all users of the 2.x branch are strongly advised to upgrade to the new version. Users of KeePass 1.x, Strongbox, or KeePassXC are not affected by CVE-2023-32784 and do not need to migrate to a newer release. To address the vulnerability, KeePass now uses a Windows API to set or retrieve data from text boxes, which prevents the creation of managed strings that can potentially be dumped from memory. Reichl also introduced "dummy strings" with random characters into the memory of the KeePass process to make it more difficult to retrieve fragments of the password from memory and combine them into a valid master password.
KeePass 2.5.4 also brings other security enhancements, such as moving 'Triggers,' 'Global URL overrides,' and 'Password generator profiles' into the enforced configuration file, which offers additional protection from attacks that modify the KeePass configuration file. If the triggers, overrides, and profiles are not stored in the enforced config because they were created using a previous version, they will be automatically disabled in 2.54, and users will have to manually activate them from the 'Tools' settings menu. Users who cannot upgrade to KeePass 2.54 are advised to reset their master password, delete crash dumps, hibernation files, and swap files that might contain fragments of their master password, or perform a fresh OS install. It is important to note that the issue affects only passwords typed in the program's input forms; if credentials are copied and pasted into the boxes, no data-leaking strings are created in memory.