A vulnerability has been discovered in the KeePass password management software (v2.X), allowing an attacker to dump the master password from the program’s memory.
The vulnerability (CVE-2023-32784) was discovered by security researcher Dominik Reichl and is expected to be resolved in the upcoming release of KeePass 2.54 in early June 2023.
Reichl described the flaw in a security report published on GitHub on Thursday, where he also clarified the vulnerability could be exploited only if the master password is typed on a keyboard and not if it is copied from the clipboard.
The flaw in KeePass involves a text box called SecureTextBoxEx used for password entry. It creates leftover strings in memory when characters are typed, making them difficult to remove due to .NET’s behavior.
For instance, when typing “Password,” residual strings like •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d are stored in memory. A proof-of-concept (POC) application developed by Reichl was able to scan the memory dump, suggesting likely password characters for each position.
Additionally, the attack requires no code execution on the target system, only a memory dump. The memory can be sourced from various files, including a RAM dump of the entire system. The flaw can also bypass the workspace’s locked status, as the password can be extracted from the memory even after KeePass is no longer running (although the chances decrease over time).
Read more on memory vulnerability exploits here: New Lenovo Notebook Models Affected By UEFI Firmware Vulnerabilities
To mitigate the risk associated with this vulnerability, users are advised to update to KeePass 2.54 or a higher version once it becomes available.
In the meantime, Reichl recommended KeePass users change their master password, restart their computer, delete the hibernation file and pagefile/swapfile, and overwrite deleted data on the hard disk drive (HDD) to prevent data carving.
Performing a fresh installation of the operating system (OS) is also advised to ensure maximum security.
The developer also clarified that some KeePass-based products, such as KeePassXC, Strongbox and KeePass 1.X, are not impacted by the vulnerability.
The security report comes months after the LastPass breaches brought password managers into the spotlight.