Password managers have gained widespread acclaim for their ability to securely store and manage our ever-expanding collection of passwords. These free and open-source tools have become trusted companions for Windows, Linux, Mac OS X, and even mobile device users.
However, their reputation for impregnable security has been shattered by the recent discovery of a significant security vulnerability affecting a popular password manager.
Here’s everything you need to know about CVE-2023032784 in the KeePass password manager.
What is CVE-2023-32784?
Identified as CVE-2023-32784, this vulnerability specifically affects the open-source password manager KeePass Password Safe, allowing attackers to extract the master password directly from the software’s memory. Even when the workspace is locked or the application is no longer active, this flaw presents an exploitable loophole that compromises the primary key needed to unlock the user’s password database.
This particular vulnerability exists in versions prior to 2.54 of KeePass 2.x and exposes the risk of malicious actors recovering the clear text master password from various memory sources. These sources include KeePass process dumps, swap files, hibernation files, or even full-system RAM dumps. Although the recovery excludes the first character of the password, it remains a matter of concern.
The researcher who uncovered the flaw, referred to as vdohney, has shed light on this vulnerability through a proof-of-concept tool called “KeePass Master Password Dumper.” This tool effectively demonstrates the retrieval of the master password from KeePass’s memory, except for the first character. Importantly, this exploit does not require code execution on the targeted system and can be accomplished even if the workspace is locked or KeePass is no longer active.
Taking a deeper dive
At the core of this vulnerability lies the custom-developed text box, SecureTextBoxEx, utilized by KeePass 2.X for password input. While primarily used for master password entry, this text box is also present in other aspects of KeePass, such as password edit boxes.
Does CVE-2023-32784 affect me?
The impact of CVE-2023-32784 depends on your specific threat model. If your machine is already infected with background malware operating under your user rights, this discovery does not significantly exacerbate your situation. However, unlike KeeTheft and KeeFarce, the malware exploiting this vulnerability does not require process injection or other code execution to operate stealthily and evade antivirus software. This simplicity may facilitate the malware’s activities.
If you have a clean machine and employ full disk encryption with a robust password, you should be in good shape. Due to this discovery, it becomes impractical for anyone to remotely steal your credentials over the internet.
On the other hand, if there is a reasonable suspicion that someone might gain access to your computer for forensic examination, it could pose a problem. Even if KeePass is fully closed or secured, there remains a possibility of the master password being rediscovered, presenting a worst-case scenario.
Has CVE-2023-32784 been actively exploited in the wild?
Currently, no active exploitation of this flaw has been detected in the wild. The exploitation of CVE-2023-32784 revolves around the persistence of residual strings in memory, created for each character entered into the aforementioned text box. Due to the complexities of .NET, eliminating these strings once they are generated becomes exceedingly challenging. To illustrate, if the password “Password” is typed, a series of residual strings would be formed, such as •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d. By examining the memory dump, the proof-of-concept application identifies these patterns and suggests potential password characters for each position.
The reliability of this exploit can vary depending on how the password was typed and the number of passwords entered in a given session. Nevertheless, even when multiple passwords were entered or typographical errors occurred, the arrangement of these strings in memory by the .NET CLR potentially enables the recovery of all passwords.
How to fix CVE-2023-32784
Although the vulnerability in question has been addressed in KeePass 2.54 through the implementation of different API usage and/or the insertion of random strings, its existence serves as a reminder of the ongoing necessity for unwavering vigilance and regular updates in the realm of cyber security. While we rely on password managers to safeguard our digital keys, it is crucial to acknowledge that they are not impervious to vulnerabilities.
It is also important to note that the vulnerability remains unfixed, and a publicly available proof-of-concept (PoC) exploitation tool, aptly named “KeePass 2.X Master Password Dumper,” exists. However, the positive aspect is that this flaw does not enable remote extraction of the password by exploiting the vulnerability alone.
Next steps
Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors:
- Can you trust ChatGPT’s package recommendations?
- MITRE ATTACK framework – Mapping techniques to CVEs
- Exploit maturity: an introduction
- OWASP Top 10 vulnerabilities 2022: what we learned
- How to fix CVE-2023-25610 in FortiOS
And finally…
Don’t get found out by new vulnerabilities. Vulcan Cyber gives you full visibility and oversight of your threat environment and lets you prioritize, remediate and communicate your cyber risk across your entire organization. Get a demo today.
