Critical vulnerability discovered in KeePass password manager

A vulnerability (CVE-2023-32784) has been discovered in the KeePass password manager, potentially allowing retrieval of the master password from system memory dumps. This critical vulnerability poses a significant risk to users' sensitive information. What makes this vulnerability particularly concerning is that it can be exploited even if the system is not running or locked, exposing users' passwords to unauthorized access.

The developer of KeePass, Dominik Reichl, has promptly responded to the discovery and has announced plans to release a patch in the upcoming version 2.54 of the software. This patch, scheduled to be released within the next two months, aims to address the vulnerability and provide enhanced security measures for KeePass users. It is crucial for users to update their KeePass installations once the new version becomes available to ensure their passwords are adequately protected.

In the meantime, the security researcher who identified the vulnerability has published a proof of concept tool named "KeePass 2.X Master Password Dumper" on GitHub. This tool allows analysis of memory dumps, such as pagefile.sys, hiberfil.sys, or the KeePass process dump, to extract the master password in clear text. However, it is important to note that the vulnerability may exclude the first character of the master password, which can be easily obtained through testing.

Here is a list of steps that the researcher has recommended to take while the issue is officially resolved:

First, update to KeePass 2.54 or higher once available. Second, if you've been using KeePass for a long time, your master password (and potentially other passwords) is likely in your pagefile/swapfile and hibernation file. Depending on your paranoia level, you can consider these steps to resolve the issue:

• Change your master password
• Delete hibernation file
• Delete pagefile/swapfile (can be quite annoying)
• Overwrite deleted data on the HDD to prevent carving (e.g. Cipher with /w on Windows)
• Restart your computer
• Or just overwrite your HDD and do a fresh install of your OS.

While the vulnerability has the potential to compromise the master password of KeePass users, widespread exploitation is unlikely. However, it is essential for users to take additional precautions to safeguard their passwords. Implementing full disk encryption and using a strong password, coupled with software like VeraCrypt, provides an extra layer of protection against potential attacks.

The developer has released a development build with a temporary fix that calls Windows API functions to directly get/set the text of the text box, thus avoiding the creation of managed strings. Additionally, the app generates dummy fragments in process memory to increase the difficulty of determining the correct fragments. Initial testing confirms that the fixed version no longer allows the attack to be replicated. However, it is important to note that this is a beta version and not the stable release, so caution is advised when running the development build. The upcoming official release of KeePass 2.54 will incorporate all these fixes and address the vulnerability for all users.

Our take: According to the report, certain KeePass forks such as KeePassXC or Strongbox are not affected by this specific vulnerability. Therefore, it would be advisable to consider these alternatives for now.