For the second time in recent months a security researcher has discovered a vulnerability in the widely used KeePass open source password manager.

This one affects KeePass 2.X versions for Windows, Linux, and macOS, and gives attackers a way to retrieve a target's master password in cleartext from a memory dump — even when the user's workspace is closed.

Vdhoney described the vulnerability as one that only an attacker with read access to the host's filesystem or RAM would be able to exploit. Often, however, that does not require an attacker to have physical access to a system. Remote attackers routinely gain such access these days via vulnerability exploits, phishing attacks, remote access Trojans, and other methods.

"Unless you expect to be specifically targeted by someone sophisticated, I would keep calm," the researcher added.

KeePass maintainer Dominik Reichl acknowledged the issue and said he had implemented two enhancements to the password manager to address the problem.

The enhancements will be included in the next KeePass release (2.54), along with other security-related features, Reichel said. He initially indicated that would happen sometime in the next two months, but later revised the estimate delivery date for the new version to early June [2023].

https://www.darkreading.com/application-security/keepass-vulnerability-imperils-master-passwords

National Institute of Standards and Technology entry: https://nvd.nist.gov/vuln/detail/CVE-2023-32784

Statement on problem on GitHub: https://github.com/vdohney/keepass-password-dumper

1 year ago

Comment has been collapsed.

Well, that's unfortunately a predictable twist.
Put all your valuables in a safe, write down the combination somewhere in the same room and advertise it online... your office will become a hangout for safe crackers.
But good on them for being reactive and implementing improvements.

1 year ago*
Permalink

Comment has been collapsed.

Put all your valuables in a safe, write down the combination somewhere in the same room and advertise it online

To be clear, this vulnerability has nothing to do with that...

A researcher simply discovered that the master password lingers in memory in cleartext longer than it should, due to how the "password textbox" is implemented. To be vulnerable the attacker needs to already have access to your system physically to dump memory (or have remote access which is a big assumption in its self, and if it was the case you have other things to worry about too!)

Which is to say, it is business as usual, an implementation bug was discovered, it will be fixed, no big deal 🤷‍♂️

(KeePass and KeePassXC both already had security audits done before)

1 year ago
Permalink

Comment has been collapsed.

I get it and it was lucky it was a researcher who found the vulnerability and not a hacker.
My point was only that those password managers are a big target for hackers. They are as secure as can be but they also are vulnerable for the same reason they exist. People with bad intentions are going to want in
But again, it's a good thing that it happened the way it did and that they were very fast in fixing the issue.

1 year ago
Permalink

Comment has been collapsed.

yearly penetration parties where safe crackers go and get drunk well cracking safes together
it was on an episode of QI

1 year ago*
Permalink

Comment has been collapsed.

1 year ago
Permalink

Comment has been collapsed.

XD all this monkey business!

View attached image.
View attached image.
1 year ago
Permalink

Comment has been collapsed.

so disable remote access option. no problem!

1 year ago
Permalink

Comment has been collapsed.

As I understand it, they are not talking about an option in the password manager, but about trojans which typically have remote access and could potentially read the master password from memory like ormax3 explained above.

1 year ago
Permalink

Comment has been collapsed.

Not as crazy as it may sound, but still bump for visibility

1 year ago
Permalink

Comment has been collapsed.

OMG the title scarred me... I guess we (and our passwords) are safe though...

1 year ago
Permalink

Comment has been collapsed.

Don't worry, the attackers needs to have access to your PC to do something.

1 year ago
Permalink

Comment has been collapsed.

Thanks for confirmation!
Have an awesome day!

1 year ago
Permalink

Comment has been collapsed.

Fortunately KeePassXC is safe.

1 year ago
Permalink

Comment has been collapsed.

To put the issue in perspective: I had to dump Lastpass as their DB was compromised in favour of Bitwarden . The latter and Keepass are still one the safest bets according to security guys.

1 year ago
Permalink

Comment has been collapsed.

So what is the difference between KeePass and KeePass XC?

1 year ago
Permalink

Comment has been collapsed.

XC is cross-platform, while original Keepass is Windows only.

1 year ago
Permalink

Comment has been collapsed.

Keeping all my passwords in one basket doesn't sound safe to me. Thus I never used these kind of software.

1 year ago
Permalink

Comment has been collapsed.

What's the alternative?

1 year ago
Permalink

Comment has been collapsed.

having the same password for all your accounts, never written down only remembered in your head /s 😂

on a more serious note, there are pros and cons to every technique:

https://security.stackexchange.com/questions/3458/password-manager-vs-remembering-passwords

1 year ago*
Permalink

Comment has been collapsed.

:D
I would get their argument if Keepass was proprietary or cloud based..

1 year ago
Permalink

Comment has been collapsed.

I create my passwords with a combination of characters and only change one specific part of it depending on the service I sign up.

1 year ago
Permalink

Comment has been collapsed.

I guess you aren't signed up to many services then. I have more than 450 entries in my personal KeePass.
And if one of yours get hacked, all others can be brute-forced.

1 year ago
Permalink

Comment has been collapsed.

Sign in through Steam to add a comment.