Vulnerability in KeePass allows theft of Master Password

CVE-2023-3278 vulnerability

KeePass, the popular open-source password manager, is grappling with a security flaw that can potentially expose the master password to attackers, compromising the entire password database. Discovered by a security researcher known as “vdohney,” the vulnerability has been assigned the identification CVE-2023-3278.^[1]

Can be extracted from the application's memory

A master password is the cornerstone of a password manager's functionality, protecting access to a vault of unique passwords for various online accounts. In KeePass, this master password encrypts the entire password database, rendering it unreadable without the correct password. However, a serious issue surfaces when this master password is at risk, as is the case in this newly identified KeePass vulnerability.

The flaw essentially allows attackers to extract the master password from the application's memory in cleartext form, regardless of whether the KeePass workspace is locked or even if the program is closed. Vdohney released a proof-of-concept tool, the “KeePass Master Password Dumper,”^[2] which can perform this extraction with remarkable efficiency.

The issue originates from a custom password entry box in the software, known as “SecureTextBoxEx,” used not only for master password entry but also other password edit boxes. As users type in their password, the software leaves traces of each character in the system memory. This forms the basis for the memory dump extraction tool, which searches for these patterns to reassemble the password.

The vulnerability is present in the latest KeePass version, 2.53.1, and is likely affecting all project forks due to its open-source nature. KeePass 1.X, KeePassXC, and Strongbox do not appear to be affected by CVE-2023-32784.

Exploitation and potential threats

Though the security flaw is significant, it's worth noting that an attacker must obtain a memory dump from the target machine to exploit it, necessitating either physical access or malware infection. Despite this requirement, information-stealing malware could scan for the presence of KeePass on a computer, extract the program's memory, and transmit both the memory dump and the KeePass database back to the attacker for offline password extraction.

Vdohney's proof-of-concept tool has successfully demonstrated this exploitation. After creating a database with a test master password and locking the KeePass workspace, the tool managed to recover most of the cleartext password from a full memory dump.

The researcher also warns that master passwords used in the past could potentially linger in memory, enabling their retrieval even if KeePass is no longer running on the compromised computer.

Incoming patch and future precautions

KeePass's developer, Dominik Reichl, is working on a fix for the issue, with the solution expected to roll out in the forthcoming KeePass version 2.54, likely in early June.^[3] The upcoming version is reported to feature two security enhancements: direct API calls to avoid the creation of managed strings that could leak secrets and dummy fragments with random characters in memory to obfuscate the real master password.

Even when the new version is released, the master password may still be stored in memory files. Users will need to clear their system's swap and hibernation files, and for those wanting to ensure absolute safety, a fresh OS install after a hard drive format is recommended.

As always, the best protection is precautionary – remain vigilant about the origins of your downloads and be cautious of phishing attacks. The potential vulnerability of your master password underscores the critical importance of maintaining robust security practices.