author photo
By Cam Sivesind
Tue | May 23, 2023 | 4:18 AM PDT

A nasty security flaw is leaving users of the KeePass password manager vulnerable to exploitation—namely, the ability to recover the master password in cleartext from those affected.

According to a post on The Hacker News, a security researcher known as "vdohney" discovered the flaw and soon after issued a proof-of-concept (PoC) to thwart the flaw.

The KeePass password manager is vulnerable to extracting the master password from the application's memory, allowing attackers who compromise a device to retrieve the password even with the database locked.

The issue impacts KeePass 2.x versions and allows an attacker to retrieve the cleartext master password from a memory dump. The vulnerability is exploitable even on workspaces that have been locked or are no longer running.

We asked cybersecurity vendor experts for their thoughts.

Craig Jones, Vice President of Security Operations at Ontinue, said:

"Discovering vulnerabilities in password managers serves as a reminder that no system is impervious to potential risks. However, with proper security measures and responsible usage, password managers can still be a valuable tool in enhancing password security and reducing the impact of data breaches.

The most worrying detail in this KeePass password dumper is its ability to bypass the master password protection. By doing so, an attacker can potentially gain access to all stored passwords and sensitive information. This highlights a critical vulnerability that could be exploited by individuals with physical access to a victim's computer or those capable of executing malicious code on the system.

While the exploit raises concerns, it is important to remember that vulnerabilities can exist in any software or system. and this needs physical access.  The concentrated risk and potential pitfalls of password managers lie in the fact that compromising a single master password can potentially expose multiple accounts and sensitive information. However, it's crucial to note that this particular vulnerability does not reflect the inherent weaknesses of all password managers. By choosing reputable and well-maintained password managers, regularly updating them, and following best practices, the security benefits of password managers can still outweigh the risks.

This follows on from the LastPass breach of December 2022. LastPass disclosed that the hackers utilized information obtained from the initial breach in August to gain unauthorized access to its systems during the subsequent incident in November. As a result, the attacker managed to acquire a backup of partially encrypted customer vault data, which included website URLs, usernames, and passwords. In response, LastPass advised its users to proactively update all of their stored passwords as an additional precautionary measure, while assuring that the passwords remained safeguarded by the account's master password. This all goes further to reduce trust in password managers.

To mitigate the threat posed by this KeePass exploit, organizations and individuals using KeePass can take the following measures:

•  Update KeePass to the latest version, as developers often release updates to address security vulnerabilities.
•  Use strong and unique master passwords that are not easily guessable.
•  Enable two-factor authentication (2FA) for an additional layer of security.
•  Secure the device running KeePass with strong passwords, encryption, and up-to-date security software.
•  Regularly back up the password database and store backups securely.
•  Consider alternative password managers with strong security track records and active development communities."

Casey Ellis, Founder and CTO at Bugcrowd, said:

"While this vulnerability requires access to the victims machine to execute, the proliferation of ransomware, malvertising, and Initial Access Brokers have illustrated that this isn’t a particularly difficult thing to achieve--especially in a post-COVID world where ungoverned workstations may be the ones with KeePass installed.

The vulnerability is fairly esoteric, and given the “keys to the kingdom” nature of password vaults, they are rightfully held to a much higher standard when it comes to code hygiene and security testing and auditing. The exploit itself isn’t trivial, but the PoC released by vdohney makes exploitation relatively simple and straightforward.

I would be very surprised if we didn’t see attackers looking for KeePass on compromised machines and taking advantage of this window of exploitation before the KeePass user-base has patched their systems."

John Bambenek, Principal Threat Hunter at Netenrich, said:

"Password managers have become the single point of compromise for a complete identity takeover… and attackers know it. Why steal one account when you can steal all of them since most people comingle personal and business logins in one manager? While different than LastPass' difficulties, this incident once again demonstrates the importance of protecting the password manager itself, either in the cloud or on the device. Using multi-factor authentication (MFA) and patching quickly will help protect users from becoming victims."