The open-source password manager KeePass has debunked claims that it has a serious vulnerability allowing unauthorized access to users’ password vaults.
KeePass is primarily intended for individual use, not as a business password manager. It differs from many popular password managers in that it does not store its database on cloud servers; instead, it stores them locally on the user’s device.
The newly discovered vulnerability CVE-2023-24055 (opens in a new tab)allows hackers who have already gained access to the user’s system to export the entire vault in plain text by altering the XML configuration file, completely exposing all usernames and passwords.
Not our problem
When the victim opens KeePass and enters the master password to access their vault, this will export the database to a file that hackers can steal. The process runs silently in the background without notifying KeePass or the operating system, so no verification or authentication is required, making the victim no smarter.
Users on a SourceForge forum (opens in a new tab) asked KeePass to either require a master password before allowing exports, or disable the export feature by default and require a master password to enable it again.
A practical exploit for this vulnerability has already been made available online, so it is only a matter of time before malware writers develop it further and make it widely available.
Without denying the existence of the CVE-2023-24055 vulnerability, KeePass argues that it cannot protect against cyber criminals who already control your system. They said cybercriminals with write access to a user’s system could steal their password vault through all sorts of means they couldn’t prevent.
This was described as a “configuration file write access” issue in April 2019, with KeePass claiming that it is not a vulnerability in the password manager itself.
The developers said that “Having write access to the KeePass configuration file typically means that an attacker can actually perform much more powerful attacks than modifying the configuration file (and these attacks can eventually affect KeePass as well, regardless of the protection of the configuration file) “.
“These attacks can only be prevented by keeping the environment secure (using anti-virus software, firewall, not opening unknown email attachments, etc.). KeePass cannot magically work securely in an unsecured environment,” they added.
While KeePass doesn’t want to add any extra security to prevent unauthorized XML file export, there is a workaround that users can try. If they log in as a user administrator instead, they can create a forced configuration file that prevents the export from running. First, they have to make sure that no one else has write access to KeePass files and directories before they activate the admin account.
However, even this is not foolproof as attackers can run a copy of the KeePass executable in a different directory than where the forced configuration file is stored, meaning that according to KeePass “this copy does not know the forced configuration file that is stored in another place, [therefore] no settings are enforced.
- Want to hard lock your system? Then you should consider using the best security keys