KeePass releases fix for password-leaking security bug
Over the weekend, the password management tool KeePass was updated to address a high-severity vulnerability which allowed threat actors to exfiltrate the master password in cleartext.
Users with KeePass versions 2.x are advised to bring their instances to version 2.54 to eliminate the threat. Those using KeePass 1.x, Strongbox, or KeePass XC, are not vulnerable to the flaw and thus don’t need to migrate to the new version, if they don’t want to.
Those that cannot apply the patch for whatever reason should reset their master password, delete crash dumps and hibernation files, and swap files that could hold pieces of their master password. In more extreme cases, they could reinstall their operating system.
Leftover strings
In mid-May, it was announced that the password management tool was vulnerable to CVE-2023-32784, a flaw that allowed threat actors to partially extract the KeePass master password from the application’s memory dump. The master password would come in cleartext. The vulnerability was discovered by a threat researcher going by the alias “vdohney”, who also released a proof-of-concept for the flaw.
As explained by the researcher, the problem was found in SecureTextBoxEx: “Because of the way it processes input, when the user types the password, there will be leftover strings,” they said. “For example, when “Password” is typed, it will result in these leftover strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d.”
Consequently, an attacker would be able to recover almost all master password characters, even if the workspace is locked, or the program was recently shut down.
In theory, a threat actor could deploy an infostealer or a similar malware variant to dump the program’s memory and send it, together with the password manager’s database, back to a server under the attacker’s control.
From there, they’d be able to exfiltrate the master password without being pressed for time. With password managers, a master password is used to decrypt and access the database holding all other passwords.
Via: BleepingComputer