The development team behind open-source password manager software KeePass is challenging what is described as a recently discovered vulnerability that allows attackers to stealthily export the entire database in plain text.
KeePass is a very popular open-source password manager that lets you manage your passwords using a locally stored database, rather than a cloud-hosted database, like LastPass or Bitwarden .
To secure these local databases, users can encrypt them with a master password so that a malware or threat actor cannot simply steal the database and gain automatic access to the passwords. stored there.
The new vulnerability is now tracked as CVE-2023-24055and it allows hackers with write access to a target’s system to modify the KeePass XML configuration file and inject a malicious trigger that would export the database including all usernames and words clear text password.
The next time the target launches KeePass and enters the master password to open and decrypt the database, the export rule will be triggered and the contents of the database will be saved to a file which attackers can then exfiltrate to a system under their control.
However, this export process runs in the background without the user being notified or KeePass asking for the master password to be entered as confirmation before the export, allowing the threat actor to Discreetly access all stored passwords.
After this was reported and assigned a CVE-ID, users asked the development team behind KeePass to add confirmation prompt before silent database exports like the one triggered via a maliciously modified configuration file or provide an application version that comes without the export function.
Another request is to add a configurable flag to disable export inside the actual KeePass database, which could then only be modified by knowing the master password.
Since CVE-2023-24055 was assigned, a proof-of-concept exploit has already been shared online, which likely makes it easier for malware developers to upgrade infostealers with the ability to dump and to steal content from KeePass databases on compromised devices.
Vulnerability disputed by KeePass developers
While CERT teams from Netherlands and Belgium have also issued security advisories regarding CVE-2023-24055, the KeePass development team is arguing that this should not be classified as a vulnerability since attackers with write access to a target’s device can also obtain information in the KeePass database through other means.
In fact, a “Security Issues” page on the KeePass Help Center described the “Write access to the configuration file“problem since at least April 2019 as “not really a KeePass security vulnerability”.
If the user installed KeePass as a normal program and the attackers have write access, they can also “perform different types of attacks”. Threat authors can also replace the KeePass executable with malware if the user is running the portable version.
“In either case, having write access to the KeePass configuration file usually means that an attacker can actually perform much more powerful attacks than modifying the configuration file (and these attacks can ultimately affect KeePass as well, regardless of configuration file protection), “explain the developers of KeePass.
“These attacks can only be avoided by securing the environment (using anti-virus software, a firewall, not opening unknown attachments, etc.). KeePass cannot work magically in any security in an insecure environment.”
However, even though KeePass developers won’t provide users with a version of the app that fixes the issue of plain text export via triggers, you can still secure your database by logging in as an administrator. system and creating a forced configuration file.
This type of configuration file takes precedence over settings described in global and local configuration files, including new triggers added by malicious actors, thereby mitigating the CVE-2023-24055 issue.
Before using an imposed configuration file, you must also ensure that regular users of the system do not have write access to files/folders in the KeePass application directory.
And there is also another thing that could allow attackers to bypass forced configurations: using a KeePass executable launched from a different folder than where your forced configuration file was saved.
“Please note that an imposed configuration file only applies to the KeePass program in the same directory,” says the KeePass development team,
“If the user runs another copy of KeePass with no configuration file applied, that copy does not know about the applied configuration file which is stored elsewhere, i.e. no settings are applied.”