Reading:
Vulnerability in KeePass Password Manager Permits Retrieving Master Password (CVE-2023-32784)

Vulnerability in KeePass Password Manager Permits Retrieving Master Password (CVE-2023-32784)

May 18, 2023

A vulnerability in the open-source password manager tool KeePass could allow retrieval of the master password. The vulnerability tracked as CVE-2023-32784 has a proof-of-concept (PoC) exploit available before its patch.

The KeePass 2.X branch for Windows, Linux, and macOS is vulnerable to CVE-2023-32784.

How Critical Is the CVE-2023-32784 Vulnerability?

The CVE-2023-32784 vulnerability’s CVSS score is yet to be announced, as it is currently awaiting analysis on National Vulnerability Database (NVD).

How Does the CVE-2023-32784 Vulnerability in KeePass Work?

CVE-2023-62784 exists in “SecureTextBoxEx,” a custom text box in KeePass software where the master password and other passwords are entered during editing.

The exploit requires a memory dump. It could be a KeePass process dump, a swap file (pagefile.sys), a hibernation file (hiberfil.sys), or the system’s RAM dump. Successful exploitation of the vulnerability allows retrieving the cleartext master password from a memory dump. The issue persists even if a workspace is locked or no longer running.

According to the researcher (“vdohney” on GitHub) who identified the vulnerability, a string is generated in memory for each character typed, and it is extremely difficult to eliminate afterward due to the functioning of .NET.

If the word “Password” is typed, for instance, it leaves behind the following strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d. The PoC exploit scans the memory dump for these patterns and suggests a probable character for each position in the password. However, the initial character cannot be recovered.

Proof-Of-Concept for CVE-2023-32784

KeePass 2.X Master Password Dumper, the proof-of-concept exploit for CVE-2023-32784, is accessible on GitHub. However, using the exploit alone is insufficient to remotely extract the password.

The researcher explains that the vulnerability could be exploited if your computer is already infected with malware that is running with your user’s permissions or if someone were to gain access to it.

How to Avoid Exploitation of the KeePass Vulnerability?

CVE-2023-32784 has been fixed in KeePass 2.54 test versions. The official release of the update is scheduled for July 2023. It is recommended that you update to KeePass version 2.54 or higher when they become available.

The researcher who published the PoC also provided the following steps as mitigation before the update:

  • Change the master password
  • Delete hibernation file
  • Delete pagefile/swapfile
  • To prevent carving, overwrite deleted data on the HDD
  • Restart your computer

You can also overwrite the HDD and reinstall the operating system to avoid the issue.

Enhancing Security with SOCRadar’s Real-Time Vulnerability Tracking 

SOCRadar’s Attack Surface Management tracks vulnerabilities in real-time across your organization’s digital footprint. It helps security teams prioritize vulnerabilities using contextual intelligence and makes the patching process easier.

SOCRadar Company Vulnerabilities, KeePass
Company Vulnerabilities on SOCRadar

The platform also provides insights into vulnerability trends exploited by threat actors. Vulnerability Intelligence within the Cyber Threat Intelligence section enhances awareness and proactive defense.

SOCRadar Vulnerability Intelligence, KeePass
SOCRadar’s Vulnerability Intelligence

Latest Posts