KeePass, a widely-used open-source password manager, saves user input in retrievable memory strings, including master passwords that protect the user’s credentials.
The problem stems from how KeePass handles user-typed content in forms, creating memory strings containing all the master password’s characters except for the first one.
The vulnerability, now tracked as CVE-2023-32784, was discovered by a security researcher who published a KeePass 2.X password dumper on GitHub two weeks ago to demonstrate the exploitation possibility. The tool retrieves data from the KeePass memory dump containing the sensitive info and delivers the potential password candidates to the users in readable plaintext form.
The Master Password Dumper will work no matter where the memory comes from (process dump, swap file, hibernation file, or RAM dump) or whether the workspace is locked, and may even retrieve secrets from RAM shortly after the program’s (KeePass) termination.
Impact on KeePass
The impact on users of the software is undeniably severe, as anyone holding the master password may unlock the software’s password database and retrieve all credentials for all online accounts of the impacted user.
However, several mitigating factors in CVE-2023-32784 somewhat lessen its impact, at least for most of the regular users of the application.
First, the flaw only impacts KeePass 2.X, including its latest version, 2.53.1. However, a significant portion of the KeePass userbase still uses KeePass 1.X, which isn’t vulnerable.
Secondly, the flaw may only be triggered by someone with physical access to the target’s computer or somebody who has stolen their target’s hard drive. With those scenarios excluded, the only possible way to exploit CVE-2023-32784 would be to deploy malware on the target system, which can be prevented if good practices are followed.
Thirdly, if the user sets their master password by pasting it on the KeePass form instead of typing it, the mentioned memory strings will not contain sensitive data, so nothing will be retrievable.
Upcoming Fixes
Dominik Reichl, the main developer of KeePass, said the fixes have already been implemented on a development snapshot of the software, and the first tests indicate they can effectively prevent the exploitation of the flaw.
The creator of the KeePass Master Password Dumper tool has confirmed that the fixes work as expected, and the attack can not be reproduced in the newest version of the software.
The fixes are expected to be incorporated in version KeePass 2.54, which Reichl promised to make available by July 2023 and possibly earlier.
Can we safely sat that if you don’t want your passwords to be known to other people, you must write them only on paper and keep it in safe place?
Even more, is this sufficient? For example, what if a hacker retrieve my passwords not from KeePass, but while I type them when I try to log in my accounts?
What will solve this type of security problems? Possibly logging in with face recognition technology?
But if face recognition solves this security problem, then what about privacy? Let’s say that some people would want both security and privacy. What about them?
My humble opinion is that there are no technological solutions to such problems. But, there may be other, non-technological solutions.
1Password, Bitwarden, and AI Roboform FTW!
Thanks for the information provided Heinrich. I did not know about it. I am sure KeePass will fix it soon.
I bet some clueless folks will stick with KeePass, which is always making headlines for the wrong reasons.
I believe NordPass and Dashlane are the best password manager one can get. I personally use Dashlane Premium Version and it works well. Password Manager is the most essential and number one service for me, more than any other including VPN. Because Managing above hundred passwords and generating unique password for each one of them is a humongous task and along with that I also have to secure my documents, several other important peace of information etc and so Dashlane is the most essential to me.
Presumably this issue doesn’t affect KeePass alternatives such as KeePassXC?
That’s correct.