Categories
Cybersecurity Advisories

KeePass Flaw Lets Attackers Recover Master Passwords from Memory

An issue was discovered impacting the popular KeePass password manager which affects KeePass versions 2.x for Windows, Linux, and macOS, and is expected to be patched in version 2.54. Tracked as CVE-2023-32784, the vulnerability allows recovery of the cleartext master password from a memory dump, even when the database is locked or the program is closed. 

It is important to note that successful exploitation of the flaw requires an attacker to have already compromised a potential target’s computer. Additionally, it also requires that the password is typed on a keyboard, and not copied from the device’s clipboard.   

The developer of KeePass promises to push a fix for CVE-2023-32784 on version 2.54, expected to be released in June or July 2023.   

Proof of Concept  

Affected Versions  

All existing versions of KeePass 2.x (e.g., 2.53.1) are affected. Meanwhile, KeePass 1.x (an older edition of the program that’s still being maintained), KeePassXC, and Strongbox, which are other password managers compatible with KeePass database files, are not affected.   

Recommendations

  • Users are advised to update to KeePass 2.54 once it becomes available. 
  • Restarting the computer, clearing your swap file and hibernation files, and not using KeePass until the new version is released are reasonable safety measures for the time being. 
  • For the best protection, be vigilant about not downloading programs from untrusted sites and beware of phishing attacks that may infect your devices, giving threat actors remote access to your device and your KeePass database.  

Technical Details 
The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system.  

The master password encrypts the KeePass password database and prevents it from being opened without first entering the password. If that master password becomes compromised, a threat actor can access every credential stored in the database. A proof-of-concept tool was made available that could be exploited to recover a victim’s master password in cleartext under specific circumstances. BleepingComputer tested this tool by installing KeePass on a test device and created a new database with “password123” being the master password.   

After locking the workspace, Process Explorer was used in tests to dump the memory of the KeePass project but required a full memory dump to work correctly. No elevated privileges were needed to dump the process’ memory. The PoC tool was later compiled and executed against their memory dump and recovered most of the cleartext password, with only a few letters missing. Master passwords used in the past can remain in memory, so they can still be retrieved even if KeePass is no longer running on the breached computer.  

Resources & Related Articles