KeePass vulnerability enables master password theft

A vulnerability in password manager KeePass lets a potential attacker obtain a plaintext master password from a user workspace, even if the workspace is locked.

The flaw, designated CVE-2023-32784 in the National Vulnerability Database, was made public Monday alongside a proof-of-concept (POC) exploit by Github user "Vdohney." According to the POC's readme, it is a "simple" tool used to recover the master password in plaintext from a KeePass instance's memory.

No code execution is required, and the readme claimed the exploit works regardless of whether the memory originates from a process dump, RAM dump, hibernation file or swap file. Vdohney also said in the GitHub post that it also doesn't matter whether the target user's system or workspace is locked down and that it's still possible to dump the passwords from memory even if KeePass is no longer running.

"The flaw exploited here is that for every character typed, a leftover string is created in memory. Because of how .NET works, it is nearly impossible to get rid of it once it gets created," the readme read. "For example, when 'Password' is typed, it will result in these leftover strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d. The POC application searches the dump for these patterns and offers a likely password character for each position in the password."

A master password leak is generally considered the worst-case scenario for a password manager, as the master password can be used to obtain access to all logins for accounts stored in a password manager instance. Vdohney wrote that the severity of the flaw depends on the user.

"If your computer is already infected by malware that's running in the background with the privileges of your user, this finding doesn't make your situation much worse," Vdohney wrote. "If you have a reasonable suspicion that someone could obtain access to your computer and conduct forensic analysis, this could be bad. Worst case scenario is that the master password will be recovered, despite KeePass being locked or not running at all."

Reichl responded to the POC on the KeePass' SourceForge forum. He thanked Vdohney for reporting the issue and said fixes would become available in KeePass release 2.54, which is expected to publish in the next two months. Vdohney confirmed they could no longer produce the vulnerability based on a test update Reichl made available.

KeePass is a popular open source password manager developed by Dominik Reichl that was first published in 2003. The vulnerability marks the latest instance in recent months of serious threats involving password managers -- the most public being last year's LastPass breaches.

Alexander Culafi is a writer, journalist and podcaster based in Boston.