The KeePass development team is contesting what a recently discovered weakness that enables attackers to export the entire database in plain text covertly is.

With KeePass, a well-liked open-source password manager. You can manage your passwords locally rather than using a cloud-hosted database like LastPass or Bitwarden.

Users can encrypt these local databases using a master password to secure them. This prevents malware or threat actors from stealing the database and automatically gaining access to its credentials.

With write access to a target’s system, the newly discovered vulnerability is CVE-2023-24055. It allows threat actors to change the KeePass XML configuration file. Now insert a malevolent trigger to export the database in its entirety, such as all usernames and passwords in cleartext.

The export rule will be activated, and the contents of the databases will be stored in a file that the attackers may subsequently exfiltrate to a system under their control once the target starts KeePass and inputs the password manager to open and decrypt the database the following time.

KeePass Issues

However, the threat actor can silently access all saved passwords because this export process begins in the background without alerting the user or requiring the master password to be supplied as confirmation.

After this was identified and given a CVE-ID, users asked the KeePass development team to either release a version of the programme without the export capability or to add a confirmation box before quiet database exports like the one triggered by a maliciously modified configuration file.

Another request is to include a customizable flag that would make exporting data from the actual KeePass’s database impossible. This flag can only be changed if the user can access the master password.

The fact that a proof-of-concept attack had already been published online before CVE-2023-24055 was issued. This makes it simpler for malware authors to provide information thieves with the capacity to dump. And steal the content of KeePass’s databases on affected devices.

Vulnerability disputed by KeePass devs

Even though the CERT teams of the Netherlands and Belgium have also released security advice regarding CVE-2023-24055. The KeePass’s project team argues that this shouldn’t be considered a vulnerability. Assailants with write access to a target’s device can also obtain the data in the KeePass database through other means.

In actuality, the “Write Access to Config File” issue has been referred to as “not actually a security vulnerability of KeePass” since at least April 2019 on the “Security Issues” page of the KeePass’s Help Center.

Attackers can also “conduct many kinds of attacks” if the victim has KeePass installed as standard software and they have to write access. Threat actors may change the KeePass executable with malicious code if the user launches the portable version.

The KeePass developers explain that having write access to the configuration file. “Typically implies that an assailant can perform much more potent attacks than changing the configuration file. And these attacks can also affect KeePass, impartial of a configuration file protection.”

Also read The most well-known password manager in the world, LastPass, reports being hacked.

“Only by maintaining the environment’s security can these attacks be stopped (by using anti-virus software, a firewall, not opening unknown e-mail attachments, etc.). KeePass cannot operate securely in an unsafe setting by magic.”

Even if the export to cleartext via triggers problem hasn’t been fixed in the KeePass software. You may still safeguard your database by logging in as a system administrator and making an enforced configuration file.

The CVE-2023-24055 problem is mitigated by using this form of the configuration file. Took priority over settings specified in global and local system settings, including new triggers provided by malicious actors.

Recommendation

Before utilizing an enforced config file, you must also ensure that no regular system users have full scope to any files or directories in the KeePass app directory.

Additionally, utilizing a KeePass executable started from a different folder than the one in which your forced configuration file was saved could enable attackers to get around enforced setups.

The KeePass developer team warns its users. “Please note that an imposed configuration file only pertains to the KeePass software in the same directory.”

The imposed configuration file is unknown to this copy of KeePass if the user launches another instance of the programme without it. Hence no settings are enforced.