News

KeePass fixes a vulnerability that could reveal the master password

Security Parrot Editorial Team

KeePass Updated to Version 2.54 to Fix Vulnerability CVE-2023-32784

KeePass, a popular open-source password manager, has been updated to version 2.54 in order to fix the vulnerability CVE-2023-32784. This vulnerability allowed attackers to extract the master password from the application memory in plain text format.

Vulnerability Discovered by Information Security Specialist

The vulnerability was discovered by an information security specialist known by the nickname vdohney. In mid-May, he showed a proof-of-concept exploit and explained that it was possible to recover the KeePass master password in cleartext without the first one or two characters, and regardless of whether the KeePass workspace was locked (the program can be closed altogether).
The problem was related to the fact that KeePass used a special password field – SecureTextBoxEx, which left traces of each character entered by the user in memory. Exploiting CVE-2023-32784 required physical access or infection of the target machine with malware, as a memory dump was required to recover the KeePass master password.

KeePass Developer Releases Patch for Vulnerability

KeePass developer Dominik Reichl was aware of this bug and promised to release a patch for CVE-2023-32784 by early June. Over the weekend, Reichl introduced the updated KeePass version 2.54 and recommended that all users of versions 2.x upgrade to the new version as soon as possible.
The updated password manager now uses the Windows API to set or retrieve data from text fields, preventing the creation of managed strings that could in theory be swapped out of memory. The developer also injected dummy fragments into the KeePass process memory containing random characters that will be about the same length as the user’s master password, thereby obfuscating the real key and preventing the extraction of password fragments from memory.
Users who cannot upgrade to KeePass 2.54 are advised to reset their master password, remove crash dumps, hibernation files, and swap files that may contain master password fragments, or rather perform a clean install of the OS.
KeePass is a popular open-source password manager that is used by millions of users around the world. It is important to keep the software up to date in order to protect users from potential security vulnerabilities. The latest version of KeePass, 2.54, fixes the vulnerability CVE-2023-32784, which allowed attackers to extract the master password from the application memory in plain text format.

Weekly Updates For Our Loyal Readers!

Share this Article
Lost your password?