There are already a number of vectors by which an attacker with privileged access to a system can expose KeePass master passwords, but a new security exploit makes the process easier than ever.
Due to a flaw in the password manager’s text entry box, anyone with access to any kind of memory dumps can locate strings that each contain one unprotected plaintext character from the master password. Enough of these are generated that they can be combined to reveal all but the first character of the password. There is no immediate fix, but the project lead is aware of the issue and has promised it will be patched in the next update (expected in a matter of weeks).
Master passwords extremely vulnerable, though attack requires high level of access to device
KeePass users (along with those who use password managers in general) have been dealing with master password extraction tools and techniques for nearly as long as these pieces of software have been available, but a common theme is that the attacker needs to have a high level of access to the system; either remote compromise of the operating system via malware, or having physical access to the device.
The present security exploit is along these same lines, as the attacker’s best chance at making use of it would be by physically accessing the computer, or at least swiping a hard drive. It does make things a little easier for those that have that sort of access, however, allowing the master password’s plaintext characters to be picked out from any sort of memory dump.
The most likely application of this security exploit is by attackers that have already remotely compromised a machine and find KeePass on it, though it has not yet been spotted in the wild. The technique was presented on SourceForge as a proof-of-concept by an independent security researcher.
This is also not the first KeePass security exploit of the year involving master passwords; one was reported in early February that also requires some sort of privileged access to a target device, but allows for fairly easy capture of plaintext characters by exploiting an issue in XML configuration settings.
Though circumstances of use are limited, new KeyPass security exploit considered serious
The security exploit has been assigned a CVE number (CVE-2023-32784) and impacts all of the current 2.X versions of KeePass across all operating systems. The 1.X versions and the KeePassXC fork do not appear to be impacted as they use a different text entry system for the master password.
The issue will be patched in version 2.54 of KeePass, but there is no firm release date. The latest word is that it will arrive sometime in June or July. Until then, there isn’t much for users to do save possibly accessing it via a USB hardware key (which circumvents the vulnerable text entry box) or switching to KeePassXC. Of course, there is always the option of switching to a competing product, but nearly all of the major players have been struggling with their own security exploits as of late.