Identity, Vulnerability Management

KeePass bug lets attackers extract the master password from memory

Macro computer screen shot with binary code and password text.

A vulnerability discovered last week in the open-source password manager KeePass Password Safe lets attackers extract the master password directly from the software’s memory.

In a blog posted May 18, Vulcan Cyber researchers said the vulnerability — CVE-2023-32784 — presents an exploitable loophole that compromises the primary key needed to unlock the user’s password database. KeePass posted that it plans to issue a patch by early June.

The new vulnerability was the second time this year researchers had posted information on significant vulnerabilities involving KeePass. The first was in January when an independent security researcher reported a flaw in the KeePass password manager.

The most recent vulnerability exists in versions prior to 2.54 of KeePass 2.x and exposes the risk of malicious actors recovering the clear text master password from various memory sources. The Vulcan Cyber researchers said these sources include KeePass process dumps, swap files, hibernation files, or even full-system RAM dumps.

The researcher who uncovered the flaw known as "vdohney" posted a proof-of-concept tool on GitHub. The tool effectively demonstrates the retrieval of the master password from KeePass’s memory, except for the first character. What’s important, say the Vulcan Cyber researchers, is that this exploit does not require code execution on the targeted system and attackers can accomplish this even if the workspace becomes locked or KeePass is no longer active.

Password managers are a popular way to create and use unique complex passwords for every site or application without having to remember each and every one, explained Mike Parkin, senior technical engineer at Vulcan Cyber. With a password manager, the user only needs to remember the password for one application, rather than potentially dozens. Unfortunately, Parkin said these password managers become very valuable to a threat actor if they can somehow find a flaw and exploit it. 

“Rather than having access to one of your sites, they have access to all of them,” said Parkin. “The recently discovered flaw in KeePass is a good example of this sort of vulnerability. Fortunately, there appears to be no way to remotely exploit this unless the threat actor already has access to the target system. However, if the system's already been compromised it would be possible to use this attack to potentially gain access to the stored KeePass passwords. As with any security vulnerability, best practice is to update to the latest version as soon as possible and to review vulnerable hosts to make sure they're not already compromised.”

Chris Clymer, chief information security officer at Inversion6, added that while this new vulnerability in Keepass is a concern, it’s also heartening to see that a fix has already been made and planned for release soon. Clymer said KeePass users would probably have been better served had the researcher privately disclosed this vulnerability to KeePass and waited for the fix before releasing the exploit code.

“There's often pressure for researchers to gain attention by jumping on these issues rapidly and before patches are available to gain attention,” said Clymer. “Ultimately, this attack requires local access to a user's system. In that scenario, an attacker could accomplish similar results by installing a keylogger, or by taking advantage of application and web sessions after a user authenticates. It's not great to hear that the keypass master password is scrapable from memory, but its also not designed to protect against a local attacker. If an attacker simply gains access to the users keypass database, their credentials will still be protected."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.