Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

KeePass password manager vulnerability revealed — but KeePass doesn’t agree

There’s a rumble afoot in the world of cyber security. On one side are the experts behind the common vulnerability and exposures team, who have just listed a new CVE listing regarding the open-source password manager KeePass.

user icon David Hollingworth
Tue, 31 Jan 2023
KeePass password manager vulnerability revealed — but KeePass doesn’t agree
expand image

On the other is KeePass itself, which says the apparent vulnerability isn’t a vulnerability at all, given the access needed to exploit the apparent weakness.

The new vulnerability — CVE-2023-24055 — let’s anyone with write access to a machine reconfigure the software’s configuration file, and in turn, plant a trigger that can then export KeePass’ database and all the passwords and usernames that entails when KeePass is next booted up.

It can all happen in the background without a user even knowing or even requiring a user to enter a master password. According to the US National Institute of Standards and Technology, the vulnerability is being analysed, but a proof of concept is already out there in the wild.

That kind of access does sound dangerous, but KeePass’ rebuttal does make sense.

============
============

As far as the company is concerned, it’s not really a vulnerability at all, because of course if someone already has write access to a machine, things are already going pretty poorly. It even appears to be an “issue” the company has been aware of for some time, with Bleeping Computer noting it has been listed on KeePass’ Help Center page since 2019.

“An attacker who has write access to the KeePass configuration file can modify it maliciously (for example, he could inject malicious triggers),” KeePass has admitted. “This is not really a security vulnerability of KeePass though.

“Having write access to the KeePass configuration file typically implies that an attacker can actually perform much more powerful attacks than modifying the configuration file,” KeePass adds, and we admit the company does have a point.

Why export passwords when you can do far worse with greater ease, like installing your own malware, fiddling with a computer’s registry, or replacing KeePass entirely?

“These attacks can only be prevented by keeping the environment secure (by using an [sic] anti-virus software, a firewall, not opening unknown email attachments, etc.). KeePass cannot magically run securely in an insecure environment.”

The CVE listing itself notes the dispute, saying “the vendor’s position is that the password database is not intended to be secure against an attacker who has that level of access to the local PC”.

Vulnerability or not, though, it’s certainly something to be aware of. Just make sure you know who has write access to your networks.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.