Vulnerability in KeePass Password Manager Permits Retrieving Master Password (CVE-2023-32784)
[Update] June 6, 2023: KeePass has fixed the CVE-2023-32784 vulnerability in version 2.54. Attacks leveraging the vulnerability relied on how passwords were typed and how many were entered in a session. By exploiting the way .NET CLR handles strings in memory, attackers obtained password candidates for each character position in the order they were entered by the user. Note that the password had to be typed on a keyboard, not copied from the clipboard. The latest KeePass release uses a Windows API to handle text box data, preventing the extraction of managed strings from memory.
A vulnerability in the open-source password manager tool KeePass could allow retrieval of the master password. The vulnerability tracked as CVE-2023-32784 has a proof-of-concept (PoC) exploit available before its patch.
The KeePass 2.X branch for Windows, Linux, and macOS is vulnerable to CVE-2023-32784.
How Critical Is the CVE-2023-32784 Vulnerability?
The CVE-2023-32784 vulnerability’s CVSS score is yet to be announced, as it is currently awaiting analysis on National Vulnerability Database (NVD).
How Does the CVE-2023-32784 Vulnerability in KeePass Work?
CVE-2023-62784 exists in “SecureTextBoxEx,” a custom text box in KeePass software where the master password and other passwords are entered during editing.
The exploit requires a memory dump. It could be a KeePass process dump, a swap file (pagefile.sys), a hibernation file (hiberfil.sys), or the system’s RAM dump. Successful exploitation of the vulnerability allows retrieving the cleartext master password from a memory dump. The issue persists even if a workspace is locked or no longer running.
According to the researcher (“vdohney” on GitHub) who identified the vulnerability, a string is generated in memory for each character typed, and it is extremely difficult to eliminate afterward due to the functioning of .NET.
If the word “Password” is typed, for instance, it leaves behind the following strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d. The PoC exploit scans the memory dump for these patterns and suggests a probable character for each position in the password. However, the initial character cannot be recovered.
Proof-Of-Concept for CVE-2023-32784
KeePass 2.X Master Password Dumper, the proof-of-concept exploit for CVE-2023-32784, is accessible on GitHub. However, using the exploit alone is insufficient to remotely extract the password.
The researcher explains that the vulnerability could be exploited if your computer is already infected with malware that is running with your user’s permissions or if someone were to gain access to it.
How to Avoid Exploitation of the KeePass Vulnerability?
CVE-2023-32784 has initially been fixed in KeePass version 2.54 test version and the official release of the update was scheduled for July 2023. As of June, the update is available earlier than expected. It is recommended that you update to KeePass version 2.54 or higher to avoid the exploitation of the vulnerability.
The researcher who published the PoC also provided the following steps as mitigation before the update:
- Change the master password
- Delete hibernation file
- Delete pagefile/swapfile
- To prevent carving, overwrite deleted data on the HDD
- Restart your computer
You can also overwrite the HDD and reinstall the operating system to avoid the issue.
Enhancing Security with SOCRadar’s Real-Time Vulnerability Tracking
SOCRadar’s Attack Surface Management tracks vulnerabilities in real-time across your organization’s digital footprint. It helps security teams prioritize vulnerabilities using contextual intelligence and makes the patching process easier.
The platform also provides insights into vulnerability trends exploited by threat actors. Vulnerability Intelligence within the Cyber Threat Intelligence section enhances awareness and proactive defense.