KeePass, a popular password manager, has recently been found to have a vulnerability that allows attackers to extract the master password from the application's memory. This means that even if the password database is locked, an attacker with access to the device can retrieve the master password and gain access to all stored credentials.
The vulnerability was discovered by a security researcher known as 'vdohney,' who developed a proof-of-concept tool to demonstrate the exploit. The tool can recover the KeePass master password in plaintext, except for the first one or two characters. It works by extracting traces of the password from the memory, which remains even when the workspace is locked or the program is closed.
The issue stems from the use of a custom password entry box called "SecureTextBoxEx," which leaves remnants of the characters typed by the user in the memory. This vulnerability affects the latest version of KeePass, 2.53.1, and potentially other forks of the program since it is open-source.
Exploiting the vulnerability requires either physical access to the target machine or malware infection. Information-stealing malware can identify the presence of KeePass, dump its memory, and retrieve the master password from the memory dump. Therefore, it is crucial to protect devices from malware and exercise caution when downloading programs or falling victim to phishing attacks.
The developer of KeePass, Dominik Reichl, has been made aware of the vulnerability and has promised to release a fix in version 2.54, which was initially scheduled for July 2023. However, the release of version 2.54 was moved forward, and it is now available for users to download.
In version 2.54, Reichl has implemented several security enhancements to mitigate the vulnerability. The software now uses a Windows API to interact with text boxes, preventing the creation of managed strings that can be dumped from memory. Additionally, dummy strings containing random characters are inserted into the memory to make it more challenging to retrieve fragments of the password.
Other security improvements in KeePass 2.54 include moving certain features and items, such as triggers and URL overrides, into the enforced configuration file for enhanced security. Users who cannot upgrade to version 2.54 are advised to take precautions, such as resetting their master password and deleting files that may contain fragments of the password.
It is worth noting that the vulnerability only affects passwords entered directly into KeePass's input forms. If credentials are copied and pasted, no data-leaking strings are created in memory.
To ensure maximum security, users should always keep their software up to date, exercise caution when handling sensitive information, and adopt good cybersecurity practices. KeePass remains a reliable password manager when used with the latest version and appropriate security measures.
In our blog, we post technology-related articles weekly. Follow us on Facebook and Instagram to get notifications about updates.
