A vulnerability in KeePass, an open-source password manager, can be exploited by a threat actor to access a user’s master password in plaintext, a security researcher who goes by the alias “vdohney” on GitHub found.
The security researcher published a proof-of-concept on GitHub that demonstrates how a threat actor can recover a KeePass master password in plaintext from a memory dump. The exploit requires access to a potential victim’s device, via some form of compromise unrelated to the vulnerability, but does not require code execution.
There is no patch currently available for the vulnerability, which the National Institute of Standards and Technology is tracking as CVE-2023-32784. “The issue has been fixed already for the next KeePass version, which will be released in about 2 weeks,” Dominik Reichl, the lead author of KeePass, said via email.
KeePass commands a niche share of the identity and access manager space, but it was first released in 2003 and has been certified and recommended by multiple IT and cybersecurity authorities in Europe. "It is installed by default on all PCs of the federal administration of Switzerland," according to KeePaas.
The exploit only works if the master password is typed directly into the text box for password entry on KeePass.
“What is interesting about this vulnerability is that it’s not an exploit of the password databases themselves but how the password in handled in memory, so the attacker is able to recover the master passwords for any open databases if the KeePass process is running,” John Dwyer, head of research at IBM Security X-Force, said via email.
A memory dump of a KeePass process due to troubleshooting or software crashes could also expose the master password to a threat actor without interacting with the KeePass process directly, Dwyer said.
Convenience comes at a potential cost
Password managers, which help users store credentials for applications and services in a cloud-based vault or local database, pose a concentrated risk that can be critical if compromised.
“Password managers have become the single point of compromise for a complete identity takeover and attackers know it,” John Bambenek, principal threat hunter at Netenrich, said via email. “Why steal one account when you can steal all of them since most people commingle personal and business logins in one manager.”
A monthslong cyberattack at LastPass in 2022 and the fallout that continued through the early months of this year exemplified this potential risk at a much greater scale.
Unlike LastPass, KeePass stores a user’s passwords in a local file that can be encrypted with a master password. The vulnerability underscores unknown risks associated with unmanaged password managers, according to Dwyer.
“While KeePass is an open-source password manager primarily intended for personal use, over the years I‘ve observed end users and administrators use local password managers to store enterprise credentials outside the purview of security,” Dwyer said.
Until a patch is available, users should scan their systems for process dump files associated with KeePass and remove them.
Active exploits of the vulnerability in KeePass have not been reported, but the relative ease with which a threat actor could compromise a system makes active exploits a real possibility.
“While this vulnerability requires access to the victim’s machine to execute, the proliferation of ransomware, malvertising and initial access brokers have illustrated that this isn’t a particularly difficult thing to achieve,” Casey Ellis, founder and CTO at Bugcrowd, said via email.
“I would be very surprised if we didn’t see attackers looking for KeePass on compromised machines and taking advantage of this window of exploitation before the KeePass user base has patched their systems,” Ellis said.
