The password manager has been updated to version 2.54, which fixes the vulnerability CVE-2023-32784, which allowed extracting the master password from the application memory in plain text format.
Initially, this vulnerability was discovered by an information security specialist known by the nickname vdohney. In mid-May, he showed a PoC exploit and explained that it is possible to recover the KeePass master password in cleartext without the first one or two characters, and regardless of whether the KeePass workspace is locked (the program can be closed altogether).The problem was related to the fact that KeePass uses a special password field – SecureTextBoxEx, which leaves traces of each character entered by the user in memory.
Let me remind you that we also reported that Information security specialists found a hidden backdoor in HP Device Manager, and also read our article: Default passwords for IoT devices. Why should you change them.
Since a memory dump is required to recover the KeePass master password, exploiting CVE-2023-32784 required physical access or infection of the target machine with malware. That is, any infostealer could check whether KeePass exists on the infected computer and, if necessary, make a dump of the program’s memory, then send it and the KeePass database to their operators. Although the password is incomplete, it will also not be difficult to pick up the missing characters.
The researcher explained that the vulnerability affects the latest version of KeePass, 2.53.1, and since the program is open source, any forks of the project are likely to be affected. At the same time, according to him, the vulnerabilities were not affected by KeePass 1.X, KeePassXC and Strongbox.
Then KeePass developer Dominik Reichl said that he was aware of this error and promised to release a patch for CVE-2023-32784 by early June.
Over the weekend, Reichl introduced the updated KeePass version 2.54 and recommended that all users of versions 2.x upgrade to the new version as soon as possible.
The updated password manager now uses the Windows API to set or retrieve data from text fields, preventing the creation of managed strings that could in theory be swapped out of memory. The developer also injected dummy fragments into the memory of the KeePass process, containing random characters that will have approximately the same length as the user’s master password, thereby obfuscating the real key and preventing the extraction of password fragments from memory.
Users who are unable to upgrade to KeePass 2.54 are advised to reset their master password, remove crash dumps, hibernation files, and swap files that may contain master password fragments, or rather perform a clean install of the OS.
Recall that this is not the first problem with this password manager, the media wrote in February this year that Vulnerability in KeePass Allows Stealing All User Passwords in Plain Text.