KeePass releases fix for password-leaking security bug

Those that cannot apply the patch for whatever reason should reset their master password, delete crash dumps and hibernation files, and swap files that could hold pieces of their master password. In more extreme cases, they could reinstall their operating system.

Leftover strings

In mid-May, it was announced that the password management tool was vulnerable to CVE-2023-32784, a flaw that allowed threat actors to partially extract the KeePass master password from the application’s memory dump. The master password would come in cleartext. The vulnerability was discovered by a threat researcher going by the alias “vdohney”, who also released a proof-of-concept for the flaw. 

As explained by the researcher, the problem was found in SecureTextBoxEx: “Because of the way it processes input, when the user types the password, there will be leftover strings,” they said. "For example, when "Password" is typed, it will result in these leftover strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d."

Consequently, an attacker would be able to recover almost all master password characters, even if the workspace is locked, or the program was recently shut down. 

In theory, a threat actor could deploy an infostealer or a similar malware variant to dump the program’s memory and send it, together with the password manager’s database, back to a server under the attacker’s control.

From there, they’d be able to exfiltrate the master password without being pressed for time. With password managers, a master password is used to decrypt and access the database holding all other passwords.

• See if KeePass is one of our contenders for the best password manager

Via: BleepingComputer