Blog entry by Les Bell

Les Bell
Security News: 2023-05-19
by Les Bell - Friday, 19 May 2023, 8:07 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Vuln Exposes KeePass Master Password; PoC Available

A vulnerability in the dialog used by password safe program KeePass to accept the user's master password and decrypt its database allows an attacker to extract that master password. The vulnerability (CVE-2023-32784) allows an attacker to reconstruct the master password from a process memory dump from KeePass version 2 on Windows (version 1.x is unaffected).

Given the difficulty of obtaining that dump remotely, the vulnerability is probably not that severe; if the system is already infected, however, there is a possibility that the intruder could obtain passwords for other systems, sites and applications.

The flaw is in SecureTextBoxEx, a Windows.Forms.TextBox control used to enter passwords. Said its discoverer, vdohney,

"The flaw exploited here is that for every character typed, a leftover string is created in memory. Because of how .NET works, it is nearly impossible to get rid of it once it gets created. For example, when "Password" is typed, it will result in these leftover strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d."

vdohney has also created a proof-of-concept which searches the dump for these patterns and offers a likely password character for each position in the password.

The good news is that the KeePass developers have already worked out a fix, which will be in KeePass version 2.54 and should be available in early June. Meanwhile, a workaround is that the PoC does not work if the password is copied and pasted into the form via the clipboard.

Dammit - only yesterday I was recommending KeePass to an audience, and now this happens! 😞

vdohney, Security - Dumping Master Password from Memory, Even When Locked, discussion thread, 1 May 2023. Available at https://sourceforge.net/p/keepass/discussion/329220/thread/f3438e6283/#0829.

vdohney, KeePass 2.X Master Password Dumper (CVE-2023-32784), GitHub project, 5 May 2023. Available online at https://github.com/vdohney/keepass-password-dumper.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink