Friday, 19 May 2023 11:51

Well Crap, New Flaw in KeePass Allows Attackers to Recover Master Password via Memory Dump

Written by

Reading time is around minutes.

KeePass has a bit of a memory issue. It seems that the master password is passed in clear text through memory. This tiny little (sarcasm) bug was identified by a security researcher who goes by the name as vdohney. A proof of concept (POC) has already been published which usually leads to in-the-wild exploitation of the flaw (tracked as CVE-2023-32784). Oh, and if you did not know KeePass is a password manager/vault.

KeePass used to have more than one method for safeguarding the vault created., however it has shortened the list of these down to the master password as it was the most common one used anyway. The master password then becomes the decryption key to gain access to the passwords stored in the vault. The vulnerability allows someone to scrape the master password from memory and other files found on the system (like pagefile.sys and hiberfil.sys). You can also recover the password via a complete memory dump or just a process dump. It does not matter if the vault is locked, or the application is closed. The master password can still be pulled down. The flaw is in a part of the application where passwords are entered called SecureTextBoxEx. This password entry box leaves traces of the passwords typed in memory including the master password and potentially other passwords entered inside the vault.

There is good news here though, to grab the passwords an attacker must have already compromised the system. This does not mean that someone could not leverage an information stealing malware with commands to search for KeePass would not be able to grab your master password. So protection from general malware should block this type of attempt. Also, as it is dumping memory MDR/XDR products that monitor and prevent process dumps and access to both hiberfil and pagefile should be able to prevent this. KeePass is also aware of this flaw and anticipates having a fix for it. This fix was originally expected to roll out In July, but with the disclosure of the flaw this might roll out in the next two weeks.

Read 967 times Last modified on Tuesday, 23 May 2023 10:52

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.