Introduction
KeePass is a popular open-source password manager that is used by millions of people around the world. In May 2023, a vulnerability was discovered in KeePass that could allow an attacker to extract the master password in cleartext from the memory of the process that was running. This vulnerability is known as CVE-2023-32784 and has a CVSS score of 9.8.
Vulnerability Details
The vulnerability is caused by a flaw in the way that KeePass handles leftover strings in memory. When a user types a character into the KeePass master password field, a leftover string is created in memory. This leftover string is not cleared when the user clears the password field.
The leftover string is created by the KeePass SecureTextBoxEx control, which is a custom-developed text box for password entry. The SecureTextBoxEx control uses a technique called "overwriting" to clear the password field. However, this technique does not completely clear the leftover string.
The leftover string can be used to reconstruct the master password by using a technique called "string recovery." String recovery is a process of recovering a string from memory by analyzing the memory dump.
An attacker who can gain access to the memory of the KeePass process can use this leftover string to reconstruct the master password. This can be done even if the KeePass database is locked.
Keepass Password Dumper
The Keepass Password Dumper project on GitHub provides a proof-of-concept exploit for CVE-2023-32784. The exploit uses string recovery to reconstruct the master password from a memory dump.
Affected Versions
The vulnerability affects KeePass versions 2. x prior to 2.53. The patch for this vulnerability was released in KeePass 2.54.
Mitigation Strategies
There are a few things that users can do to mitigate the risk of this vulnerability:
Update to KeePass 2.54 or later. This will patch the vulnerability and prevent attackers from extracting the master password from memory.
Use a strong master password. A strong master password is at least 12 characters long and contains a mix of uppercase and lowercase letters, numbers, and symbols.
Enable the "Lock database after idle" option in KeePass. This will prevent the master password from being stored in memory if KeePass is not being used.
Use a password manager that is not affected by this vulnerability. There are many other password managers available that are not affected by this vulnerability. Some examples include Bitwarden, LastPass, and 1Password.
Conclusion
CVE-2023-32784 is a serious vulnerability that could allow an attacker to gain access to all of the passwords stored in a KeePass database. Users should update to KeePass 2.54 or later as soon as possible to mitigate the risk of this vulnerability.
Resources
CVE-2023-32784: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32784
KeePass Password Safe: https://keepass.info/
KeePass Password Dumper: https://github.com/vdohney/keepass-password-dumper
Sample KeePass Memory Dump File: https://drive.google.com/u/0/uc?id=1PcPRiu_L2rYdiS2WwSAKnJL7qwirE4dU&export=download
