KeePass, the free and open-source password manager, has resolved a critical vulnerability known as CVE-2023-32784, which allowed the retrieval of the clear-text master password from the client’s memory.
KeePass encrypts sensitive information, including passwords and credit card numbers, using a master key or password. The bug was fixed with the release of KeePass version 2.54, addressing the issue and ensuring the security of users’ stored data.
A security researcher named Vdohney released a Proof-of-Concept (PoC) tool called KeePass 2.X Master Password Dumper, exploiting the unpatched flaw to retrieve the master password from KeePass 2.x versions.
The vulnerability originated from the use of a custom-developed text box called ‘SecureTextBoxEx’ for password entry in KeePass 2.X, enabling an attacker to recover the contents of password edit boxes and the master password.
Each character typed created a leftover string in memory, making it difficult to remove due to how .NET works. By analyzing the patterns of these strings, the PoC tool offered likely password characters for each position, increasing the attacker’s chance of success.
However, the password could only be retrieved if it was typed on a keyboard, not copied from a clipboard.
To mitigate the risk for users who cannot upgrade their installations, the researchers recommended measures such as changing the master password, deleting hibernation and swap files, overwriting deleted data on the hard drive, or performing a fresh installation of the operating system.
The most recent release of KeePass utilizes a Windows API to handle data from text boxes, preventing the creation of managed strings that could be extracted from memory and strengthening the overall security of the software.
