NCSC warns of Vulnerability in Password Manager KeePass

[Gandalf_The_Grey]

Dutch article translated by DeepL:

The Ministry of Justice and Security's National Cyber Security Center (NCSC) is warning of a vulnerability in password manager KeePass that would allow an attacker who already has access to a system to obtain data in the KeePass database, such as passwords. The developer states that this is not a vulnerability and KeePass' password database is not designed to protect against an attacker with such access to the system. Accordingly, no security update will be released.

A proof-of-concept exploit that allows a local attacker to obtain the contents of the KeePass database has appeared online. The security flaw is caused by KeePass' configuration being stored unencrypted. A local attacker can modify this configuration and add a rogue export rule. When a user opens a KeePass database, the export rule causes stored data to be exported to the attacker undetected.

According to the NCSC, system administrators can still prevent abuse through an Enforced Configuration. "Setting the ExportNoKey parameter to false ensures that a master password is required for exporting stored data. This prevents a malicious party from surreptitiously exporting sensitive data," the NCSC said.

The government agency advises organizations to use an Enforced Configuration and implement at least the above configuration. In addition, organizations are advised to perform risk assessment before using KeePass. The vulnerability in KeePass is designated as CVE-2023-24055, but has been disputed by the developer.

NCSC waarschuwt voor kwetsbaarheid in wachtwoordmanager KeePass - Security.NL

www.security.nl

 

[Azure]

That has been something I have been wondering about since quite some people have decided to quit using cloud password manager. Couldn’t a hacker just target their local password manager.

And sure this article states that this vulnerability requires a local hacker. But isn’t that how a lot of things start? With small often overlook steps.
Who to say what will happen in a couple of months and if that might no longer be a requirement.

 

[zkSnark]

When LastPass was hacked, people were suggesting not to go for Cloud Password Manager like Bitwarden but to use most secured Offline Password Manager like KeePass. Even KeePass is vulnerable, so what do we do now?

 

[ScandinavianFish]

When LastPass was hacked, people were suggesting not to go for Cloud Password Manager like Bitwarden but to use most secured Offline Password Manager like KeePass. Even KeePass is vulnerable, so what do we do now?

Spoiler

 

[WhiteMouse]

When LastPass was hacked, people were suggesting not to go for Cloud Password Manager like Bitwarden but to use most secured Offline Password Manager like KeePass. Even KeePass is vulnerable, so what do we do now?

Joke aside, I don't care about product X has a vulnerability, it happens to every software. The only thing that important is how the company deals with it.

 

[Azure]

When LastPass was hacked, people were suggesting not to go for Cloud Password Manager like Bitwarden but to use most secured Offline Password Manager like KeePass. Even KeePass is vulnerable, so what do we do now?

For Keepass what the articles says seem like an option

According to the NCSC, system administrators can still prevent abuse through an Enforced Configuration. "Setting the ExportNoKey parameter to false ensures that a master password is required for exporting stored data. This prevents a malicious party from surreptitiously exporting sensitive data," the NCSC said.

For Bitwarden, make sure you have a strong master password

 

[Andrezj]

Dutch article translated by DeepL:

NCSC waarschuwt voor kwetsbaarheid in wachtwoordmanager KeePass - Security.NL

www.security.nl

this method does not require physical access
by "access" they mean the attacker has gained network access to the system, such as a remote agent running on the system or a local attacker who has gained access remotely while being behind the router on the LAN
now threat actors can programmatically perform the attack, incorporate it into a infostealer that will send the password export file to a remote destination

the "poc" was done by a local hacker but that does not preclude the same poc performed by a remote attacker

the notification is not accurately written, all an attacker needs is write access to the keepass configuration file - that can be any attacker with the required permssions - local or remote

 

[Gandalf_The_Grey]

WARNING - AN ATTACKER WHO HAS WRITE ACCESS TO THE KEEPASS CONFIGURATION FILE CAN MODIFY IT AND INJECT MALICIOUS TRIGGERS

Sources​

Keepass - Security Issues - KeePass

Risks​

An attacker who has write access to the KeePass configuration file can modify it and inject malicious triggers, e.g to obtain the cleartext passwords by adding an export trigger.

Description​

KeePass features an event-condition-action trigger system. With this system workflows can be automated. An attacker could abuse this feature by injecting malicious triggers in the KeePass configuration file.
The Keepass knowledge base article regarding security issues indicates having write access to the KeePass configuration file typically implies that an attacker can actually perform much more powerful attacks than modifying the configuration file (and these attacks in the end can also affect KeePass, independent of a configuration file protection).
These attacks can only be prevented by keeping the environment secure by using an anti-virus software, a firewall, not opening unknown e-mail attachments, etc. Therefore, no patch will be provided.
Other projects supporting KeePass databases such as KeePassXC do not share code with KeePass. In addition, these do not implement a trigger system and are by consequence not vulnerable to this attack vector.

Recommended Actions​

Since no patch will be made available, the CCB suggests to implement a mitigation via the enforced configuration feature. This feature is intended primarily for network administrators who want to enforce certain settings for users of a KeePass installation but can also be used by end users to harden their KeePass setup. Please take note this hardening only makes sense if this file can not be modified by the end user.

Settings in the enforced configuration file KeePass.config.enforced.xml take precedence over settings in global and local configuration files. Various options to harden your KeePass setup are documented in the GitHub Keepass-Enhanced-Security-Configuration repository listed in the reference section. It is for example possible to fully disable the trigger feature (XPath Configuration/Application/TriggerSystem).

Organizations might also consider moving to an alternative password manager with support for KeePass password vaults.

References​

Vendor mailing list - KeePass / Discussion / Open Discussion: someone can read the passwords using export trigger

Vendor knowledge base - Enforced Configuration - KeePass

Vulnerability disclosure - GitHub - alt3kx/CVE-2023-24055_PoC: CVE-2023-24055 PoC (KeePass 2.5x)

KeePass hardening guide - GitHub - onSec-fr/Keepass-Enhanced-Security-Configuration: Make your keepass more secure.

Warning - An attacker who has write access to the KeePass configuration file can modify it and inject malicious triggers

KeePass features an event-condition-action trigger system. With this system workflows can be automated.

cert.be

 

[plat]

KeePass disputes vulnerability allowing stealthy password theft

The development team behind the open-source password management software KeePass is disputing what is described as a newly found vulnerability that allows attackers to stealthily export the entire database in plain text.

www.bleepingcomputer.com

If the user has installed KeePass as a regular program and the attackers have write access, they can also "perform various kinds of attacks." Threat actors can also replace the KeePass executable with malware if the user runs the portable version.

"In both cases, having write access to the KeePass configuration file typically implies that an attacker can actually perform much more powerful attacks than modifying the configuration file (and these attacks in the end can also affect KeePass, independent of a configuration file protection)," the KeePass developers explain.

"These attacks can only be prevented by keeping the environment secure (by using an anti-virus software, a firewall, not opening unknown e-mail attachments, etc.). KeePass cannot magically run securely in an insecure environment."

However, even if the KeePass developers will not provide users with a version of the app that addresses the export to cleartext via triggers issue, you could still secure your database by logging in as a system admin and creating an enforced configuration file.

 

[Gandalf_The_Grey]

KeePass disputes vulnerability allowing stealthy password theft

The development team behind the open-source password management software KeePass is disputing what is described as a newly found vulnerability that allows attackers to stealthily export the entire database in plain text.

www.bleepingcomputer.com

Before using an enforced config file, you must also ensure that regular system users do not have write access to any files/folders in KeePass' app directory.

And there's also one more thing that could allow attackers to work around enforced configurations: using a KeePass executable launched from another folder than the one where your enforced config file was saved.

"Please note that an enforced configuration file only applies to the KeePass program in the same directory," the KeePass development team says,

"If the user runs another copy of KeePass without an enforced configuration file, this copy does not know the enforced configuration file that is stored elsewhere, i.e. no settings are enforced."

 

[silversurfer]

I recently switched to KeePass XC what has better support across other OS like Android, iOS, Linux. The self-developed KeePass XC browser extension is another advantage.

Documentation and FAQ – KeePassXC

KeePassXC Password Manager

keepassxc.org

This article (posted/shared by @Gandalf_The_Grey) notes that KeePass XC has not the same issues: "not vulnerable to this attack vector."

Warning - An attacker who has write access to the KeePass configuration file can modify it and inject malicious triggers

KeePass features an event-condition-action trigger system. With this system workflows can be automated.

cert.be

Edit: Confirmed by a member from developer team of KeePassXC:

KeePassXC is not affected, because it doesn't support triggers.

Statement on CVE-2023-24055? · Issue #9041 · keepassxreboot/keepassxc

It would be nice if you could add some kind of statement on the website or release notes, whether or not KeePassXC is affected from the recent security bug in the KeePass project. https://nvd.nist....

github.com

 

[Gandalf_The_Grey]

KeePass Password Manager vulnerability: what you need to know

Closing Words

Keeping a computer system secure is of paramount importance. Attackers who gain access to a system have lots of options at their disposal regarding data theft and other malicious activities. Still, triggers make the exporting of entire password databases simple.

KeePass Password Manager vulnerability: what you need to know - gHacks Tech News

A disputed KeePass vulnerability was disclosed recently. It allows attackers with write access to export the entire password database.,

www.ghacks.net

 

[Gandalf_The_Grey]

KeePass 2.53.1 password manager resolves vulnerability controversy

KeePass users may want to upgrade to version 2.53.1 immediately to protect their passwords against automated exports.

Users may also want to check a KeePass security setting to make sure that the database is properly protected against brute force attacks.

KeePass 2.53.1 password manager resolves vulnerability controversy - gHacks Tech News

KeePass 2.53.1 is a new update for the password manager that addresses a potential vulnerability in the application.

www.ghacks.net