Overview

The open-source password management software KeePass has been linked to a newly found vulnerability, CVE-2023-24055. KeePass allows you to manage your passwords using a database that is locally stored on your device, compared to most password managers which store credentials in the cloud. KeePass is an encrypted database that requires a master password in order to access the credentials stored within.

This vulnerability allows an attacker with write access to the XML configuration file to obtain the cleartext passwords by adding an export trigger for any version of KeePass through 2.53 (in a default installation). When the changes are made to the XML file, the process automatically starts and transpires in the background. It exports the usernames, passwords, and any other information stored within into an unencrypted plaintext file. The user is not notified that a file containing their stolen credentials has been exported.

KeePass has disputed the claims of this vulnerability, saying that anyone who has write access to a device can also access the password database using other and maybe simpler methods. This could be using a keylogger to view the master password in KeePass, which for some can be easier than altering the XML file. The developers at KeePass have also stated “keeping the environment security (by using an anti-virus software, a firewall, and not opening unknown email attachments, etc.) KeePass cannot magically run securely in an insecure environment”.

There are a few options to maintain a secure password manager with KeePass, despite their efforts to fix this vulnerability. You can create an enforced configuration file following the steps in the link here, or found below. Another possibility is to ensure users don’t have write access to any files or folders within your KeePass, and that the KeePass .exe file and the configuration file are in the same folder.

Sources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24055 – Mitre CVE-2023-24055https://keepass.info/help/kb/config_enf.html – Enforced Configuration Stepshttps://www.bleepingcomputer.com/news/security/keepass-disputes-vulnerability-allowing-stealthy-password-theft/https://www.digitaltrends.com/computing/keepass-password-manager-exploit-no-fix/