KeePass, a widely-used open-source password supervisor, saves consumer enter in retrievable reminiscence strings, together with grasp passwords that shield the consumer’s credentials.
The drawback stems from how KeePass handles user-typed content material in varieties, creating reminiscence strings containing all of the grasp password’s characters aside from the primary one.
The vulnerability, now tracked as CVE-2023-32784, was found by a safety researcher who revealed a KeePass 2.X password dumper on GitHub two weeks in the past to exhibit the exploitation chance. The software retrieves information from the KeePass reminiscence dump containing the delicate information and delivers the potential password candidates to the customers in readable plaintext kind.
The Master Password Dumper will work irrespective of the place the reminiscence comes from (course of dump, swap file, hibernation file, or RAM dump) or whether or not the workspace is locked, and should even retrieve secrets and techniques from RAM shortly after this system’s (KeePass) termination.
Impact on KeePass
The impression on customers of the software program is undeniably extreme, as anybody holding the grasp password might unlock the software program’s password database and retrieve all credentials for all on-line accounts of the impacted consumer.
However, a number of mitigating components in CVE-2023-32784 considerably reduce its impression, a minimum of for many of the common customers of the appliance.
First, the flaw solely impacts KeePass 2.X, together with its newest model, 2.53.1. However, a good portion of the KeePass userbase nonetheless makes use of KeePass 1.X, which isn’t susceptible.
Secondly, the flaw might solely be triggered by somebody with bodily entry to the goal’s pc or someone who has stolen their goal’s arduous drive. With these situations excluded, the one doable approach to exploit CVE-2023-32784 could be to deploy malware on the goal system, which might be prevented if good practices are adopted.
Thirdly, if the consumer units their grasp password by pasting it on the KeePass kind as a substitute of typing it, the talked about reminiscence strings is not going to comprise delicate information, so nothing shall be retrievable.
Dominik Reichl, the principle developer of KeePass, said the fixes have already been applied on a improvement snapshot of the software program, and the primary exams point out they’ll successfully forestall the exploitation of the flaw.
The creator of the KeePass Master Password Dumper software has confirmed that the fixes work as anticipated, and the assault cannot be reproduced within the latest model of the software program.
The fixes are anticipated to be integrated in model KeePass 2.54, which Reichl promised to make accessible by July 2023 and presumably earlier.