Open-source password manager KeePass has refuted claims that it has a major security flaw allowing for undue access to user password vaults.
KeePass is designed primarily for individual use, rather than being a business password manager. It differs from many popular password managers in that it doesn’t store its database in cloud servers; instead, it stores them locally on the user’s device.
The newly discovered vulnerability, known as CVE-2023-24055 (opens in new tab), allows hackers who have already gained access to a user’s system to export their entire vault in plain text by altering an XML configuration file, completely exposing all their usernames and passwords.
Not our problem
When the victim opens KeePass and enters their master password to access their vault, this will trigger the export of the database to a file that the hackers can steal. The process quietly goes about its business in the background, without notifying KeePass or your operating system, so there is no verification or authentication required, leaving the victim non the wiser.
Users on a Sourceforge forum (opens in new tab) have asked KeePass to implement the requirement of their master password to be inputted before the export is allowed to happen, or to disable the export feature by default and requiring the master password to reenable it.
A workable exploit of this vulnerability has already been shared online, so it is only a matter time before it is developed further by malware developers and made widespread.
While not denying the existence of the CVE-2023-24055 vulnerability, KeePass’s argument is that it cannot protect against threat actors who already have control of your system. They said that threat actors with write access to a user’s system could steal their password vault via all sorts of means which it could not prevent.
It was described as a ‘write access to the configuration file’ issue back in April 2019, with KeePass claiming that it is not a vulnerability pertaining to the password manager itself.
The developers said that “Having write access to the KeePass configuration file typically implies that an attacker can actually perform much more powerful attacks than modifying the configuration file (and these attacks in the end can also affect KeePass, independent of a configuration file protection)”.
“These attacks can only be prevented by keeping the environment secure (by using an anti-virus software, a firewall, not opening unknown e-mail attachments, etc.). KeePass cannot magically run securely in an insecure environment”, they added.
While KeePass are not willing to add any additional protections to prevent unauthorized export of the XML file, there is a workaround users can try. If they login as a user administrator instead, then they can create an enforced configuration file, which prevents the triggering of the export. They first have to make sure that no one else has write access to KeePass files and directories before they activate the admin account.
However, even this is not foolproof, since attackers could run an copy of the KeePass executable in another directory separate to where the enforced config file is stored, which means that, according to KeePass, “this copy does not know the enforced configuration file that is stored elsewhere, [therefore] no settings are enforced.”
- Want to lock down your system tight? Then you should consider using the best security keys