Popular password manager KeePass has a worrying exploit that could possibly result in your master password being stolen.
A security researcher has published a proof-of-concept that demonstrates how a threat actor could extract a user’s master password from the KeePass app’s memory by exploiting a bug, tracked as CVE-2023-3278 .
“KeePass Master Password Dumper is a simple proof-of-concept tool used to dump the master password from KeePass’s memory. Apart from the first password character, it is mostly able to recover the password in plaintext,” claims the researcher.
No code execution
They added that, “No code execution on the target system is required, just a memory dump. It doesn’t matter where the memory comes from – can be the process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys) or RAM dump of the entire system. It doesn’t matter whether or not the workspace is locked.”
The master password can also be extracted from the system’s RAM after KeePass has stopped running, although the researcher noted that the more time has elapsed since the app’s closure, the chances of successful extraction decrease.
The PoC was tested on Windows, but the researcher claims that the exploit also works on macOS and Linux versions.
The PoC works by exploiting a custom-developed text box for password entry, SecureTextBoxEx, which commits the characters a user types to the system memory. This box is not only used when typing the master password, but also when editing other stored passwords as well, so these could also be compromised.
The flaw affects KeePass 2.53.1 and any forks (the app is open-source) based on the original KeePass 2.X app written in .NET. The researcher states that KeePassXC, Strongbox, and KeePass 1.X are not affected, among potential other versions.
KeePass developer Dominik Reichl confirmed the existence of the vulnerability. A fix should be coming this June with version 2.54. The risk of an attack happening in the wild is somewhat limited, though.
The researcher says that if your system is already infected with malware, then this exploit could make it easier for them to go undetected when trying to steal your master password, since no code execution is required. However, if your system is clean, then you should be fine, as “no one can steal your passwords remotely over the internet with this finding alone,” states the researcher.