KeePass, a widely-used open-source password manager, saves user input in retrievable memory strings, including master passwords that protect the user’s credentials.
The problem stems from how KeePass handles user-typed content in forms, creating memory strings containing all the master password’s characters except for the first one.
The vulnerability, now tracked as CVE-2023-32784, was discovered by a security researcher who published a KeePass 2.X password dumper on GitHub two weeks ago to demonstrate the exploitation possibility. The tool retrieves data from the KeePass memory dump containing the sensitive info and delivers the potential password candidates to the users in readable plaintext form.
The Master Password Dumper will work no matter where the memory comes from (process dump, swap file, hibernation file, or RAM dump) or whether the workspace is locked, and may even retrieve secrets from RAM shortly after the program’s (KeePass) termination.
Impact on KeePass
The impact on users of the software is undeniably severe, as anyone holding the master password may unlock the software’s password database and retrieve all credentials for all online accounts of the impacted user.
However, several mitigating factors in CVE-2023-32784 somewhat lessen its impact, at least for most of the regular users of the application.
First, the flaw only impacts KeePass 2.X, including its latest version, 2.53.1. However, a significant portion of the KeePass userbase still uses KeePass 1.X, which isn’t vulnerable.
Secondly, the flaw may only be triggered by someone with physical access to the target’s computer or somebody who has stolen their target’s hard drive. With those scenarios excluded, the only possible way to exploit CVE-2023-32784 would be to deploy malware on the target system, which can be prevented if good practices are followed.
Thirdly, if the user sets their master password by pasting it on the KeePass form instead of typing it, the mentioned memory strings will not contain sensitive data, so nothing will be retrievable.
Dominik Reichl, the main developer of KeePass, said the fixes have already been implemented on a development snapshot of the software, and the first tests indicate they can effectively prevent the exploitation of the flaw.
The creator of the KeePass Master Password Dumper tool has confirmed that the fixes work as expected, and the attack can not be reproduced in the newest version of the software.
The fixes are expected to be incorporated in version KeePass 2.54, which Reichl promised to make available by July 2023 and possibly earlier.