KeePass is a popular password management tool that may be used for free and without restrictions. A master Password is the first line of defense for any password management tool. KeePass is no more exception. The whole set of credentials is locked with a single master password. If somebody gains access to the master password, he/she can be capable of unlocking the whole set of passwords. The master password is crustal for any password managers.
Security researchers recently disclosed a vulnerability in KeePass that could be abused to construct the master password of the KeePass password database. The vulnerability is been assigned a CVE ID CVE-2023-32784 and a CVSS score of 9.8 on the CVSS scale. We published this blog to create awareness about the newly disclosed master password discloser vulnerability in KeePass. We are going to discuss more the summary, technical details, KeePass versions affected, and tips to fix the master password discloser flaw in KeePass.
A Short Note About KeePass and Its Key Features
KeePass is a free and open-source password manager that helps users securely store and manage their passwords. It is designed to provide a high level of security while offering convenience and ease of use. KeePass is available for various platforms, including Windows, macOS, Linux, and mobile devices.
Key Features of KeePass:
- Strong Encryption: KeePass uses strong and industry-standard encryption algorithms to protect your passwords and sensitive information. It primarily relies on Advanced Encryption Standard (AES) with a 256-bit key, ensuring that your data remains secure.
- Password Database: KeePass stores your passwords and other sensitive information in a password-protected database. This database is locked with a master password that only you know. It acts as the key to accessing all the stored information.
- Master Password: The master password is the main line of defense for your KeePass database. It should be a strong, unique password that is not used elsewhere. KeePass encourages the use of long and complex passwords to enhance security.
- Keyfile Support: In addition to the master password, KeePass allows you to use a key file as an additional authentication factor. The key file is a separate file that acts as a digital key to unlock your password database. It adds an extra layer of security, as an attacker would need both the key file and the master password to gain access.
- Two-Factor Authentication (2FA): KeePass supports the use of two-factor authentication for added security. It integrates with various 2FA methods, such as YubiKey, OATH TOTP (Time-based One-Time Password), and HOTP (HMAC-based One-Time Password) devices. This ensures that even if your master password is compromised, an attacker would still need the second factor to access your passwords.
- Auto-Type Functionality: KeePass includes an auto-type feature that automatically fills in login credentials for websites and applications. This feature saves time and prevents keyloggers from capturing your passwords while typing.
- Password Generator: KeePass includes a built-in password generator that creates strong and random passwords for you. You can customize the generated passwords based on length, character types, and other parameters.
- Portable and Cross-Platform: KeePass offers a portable version that can be run from a USB drive or other portable storage devices, allowing you to access your password database on different computers. Additionally, KeePass databases are compatible across multiple platforms, enabling seamless synchronization and accessibility.
- Extensions and Plugins: KeePass supports a wide range of extensions and plugins that enhance its functionality. These add-ons enable features such as browser integration, import/export capabilities, and integration with third-party services.
- Open-Source and Audited: KeePass is open-source software, which means its source code is freely available for inspection and review. This transparency allows security experts to audit the code and identify any potential vulnerabilities or weaknesses.
Summary of CVE-2023-32784
- Vendor: KeePass
- Vulnerability Type: Master Password Discloser Vulnerability
- Base Score: 7.5 High
The CVE-2023-32784 vulnerability is a high-severity vulnerability found in KeePass versions 2.x prior to 2.53. The flaw allows for the recovery of the password in plaintext, excluding the first character. No code execution on the target system is required for this exploit – just a memory dump. It doesn’t matter where the memory comes from or whether the workspace is locked. It’s also possible to dump the password from RAM after KeePass is no longer running, although the chance of this being successful decreases over time.
Successful exploitation depends on the attacker having already compromised the potential target’s computer. It also requires that the password be typed on a keyboard and not copied from the device’s clipboard. The vulnerability stems from how a custom text box field, used for entering the master password, handles user input. It leaves traces of each character the user types in the program memory. An attacker could dump the program’s memory and reassemble the password in plaintext, with the exception of the first character.
According to a researcher:
“When a remote hacker exploits this flaw, any remaining string is created in the memory for every character type. This is how .NET works; when it finally gets created, it is almost impossible to eliminate it.” -Vdohney
The vulnerability was initially published on the NVD on May 15, 2023, and last modified on May 26, 2023. The flaw has been identified as being related to the Cleartext Transmission of Sensitive Information (CWE-319), and the severity has been rated as high, with a base score of 7.5 on the CVSS (Common Vulnerability Scoring System) Version 3.x. The vector string associated with this flaw is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.
Please go through this Git page for more technical details.
Picture Master Password Discloser Vulnerability in KeePass (Image Source: GitHub)
Proof of Concept (KeePass Master Password Dumper)
Vdohney, who disclosed the flaw published a PoC tool known as the KeePass Master Password Dumper on this GitHub page. This tool, while simple in design, can extract the master password from KeePass’s memory, revealing almost the entire password in plaintext, except the first character.
The beauty of this technique is that it doesn’t require executing any code on the targeted system. It can work with a memory dump from any source, be it a process dump, swap file (also known as pagefile.sys), hibernation file (hiberfil.sys), various types of crash dumps, or a complete system RAM dump. The state of the machine doesn’t affect the execution of this PoC tool- it can be locked or unlocked.
Interestingly, even if KeePass has been closed, it’s still possible to recover the password from the remaining memory traces. However, the success rate of this method decreases as more time passes since KeePass was last active.
Dominik Reichl, the author of KeePass, has acknowledged that this tool Master Password Dumper has been tested and confirmed to work with KeePass 2.53.1 on a Windows system and KeePass 2.47 on a Debian system (with the keepass2 package). The macOS version of KeePass should also be compatible with this method.
How to Run the KeePass Master Password Dumper
To set up the Master Password Dumper, follow the steps below:
- Install .NET. It supports most major operating systems.
- Clone the repository from GitHub using the following command: git clone https://github.com/vdohney/keepass-password-dumper. Alternatively, you can download it directly from GitHub.
- Navigate to the project directory using your terminal. If you’re on Windows, you can use Powershell. The command is: cd keepass-password-dumper
- Run the command: dotnet run PATH_TO_DUMP
For Windows users, the simplest way to test this tool is by creating a process dump via the task manager. You can do this by right-clicking the KeePass process and selecting “Create dump file”.
You can further refine the operation by adding another parameter to the command:
dotnet run PATH_TO_DUMP PATH_TO_PWDLIST. This command generates a list of all possible passwords starting from the second character.
KeePass Versions Affected by this Master Password Discloser Vulnerability
The master password disclosure vulnerability impacts KeePass version 2.x for Windows, Linux, and macOS. Specifically, versions 2.00 up to 2.53 are vulnerable to this flaw.
- KeePass 2.54 and earlier
- KeePassXC 2.6.2 and earlier
How to Fix CVE-2023-32784- Master Password Discloser Vulnerability in KeePass?
The vulnerability is expected to be patched in KeePass version 2.54. Therefore, the best course of action is to update your KeePass application to version 2.54 or higher as soon as it becomes available (KeePass v2.54 is expected to be released in early June 2023). In addition, it’s recommended to change your master password and, if necessary, delete and overwrite potentially compromised memory files like crash dumps, hibernation files, and pagefile/swapfile.
To Upgrade KeePass to v 2.54
- Visit the official KeePass website or the platform where you initially downloaded KeePass.
- Navigate to the download section.
- Look for KeePass version 2.54 or higher (KeePass v2.54 is expected to be released in early June).
- Download the setup file.
- Run the downloaded file and follow the instructions for installing the update.
- Once the update is installed, open KeePass and confirm that the new version is running