The development team behind the open-source password management software KeePass is disputing what is described as a newly found vulnerability that allows attackers to stealthily export the entire database in plain text.
KeePass is a very popular open-source password manager that allows you to manage your passwords using a locally stored database, rather than a cloud-hosted one, such as LastPass or Bitwarden.
To secure these local databases, users can encrypt them using a master password so that malware or a threat actor can’t just steal the database and automatically gain access to the passwords stored within it.
The new vulnerability is now tracked as CVE-2023-24055, and it enables threat actors with write access to a target’s system to alter the KeePass XML configuration file and inject a malicious trigger that would export the database, including all usernames and passwords in cleartext.
The next time the target launches KeePass and enters the master password to open and decrypt the database, the export rule will be triggered, and the contents of the database will be saved to a file the attackers can later exfiltrate to a system under their control.
However, this export process launches in the background without the user being notified or KeePass requesting the master password to be entered as confirmation before exporting, allowing the threat actor to quietly gain access to all of the stored passwords.
After this was reported and assigned a CVE-ID, users asked the development team behind KeePass to add a confirmation prompt before silent database exports like the one triggered via a maliciously modified configuration file or provide a version of the app that comes without the export feature.
Another request is to add a configurable flag to disable exporting inside the actual KeePass database, which could then only be changed by knowing the master password.
Since CVE-2023-24055 was assigned, a proof-of-concept exploit has already been shared online, likely making it easier for malware developers to upgrade information stealers with the ability to dump and steal the contents of KeePass databases on compromised devices.
Vulnerability disputed by KeePass devs
While the CERT teams of Netherlands and Belgium have also issued security advisories regarding CVE-2023-24055, the KeePass development team is arguing that this shouldn’t be classified as a vulnerability given that attackers with write access to a target’s device can also obtain the information contained within the KeePass database through other means.
In fact, a “Security Issues” page on the KeePass Help Center has been describing the “Write Access to Configuration File” issue since at least April 2019 as “not really a security vulnerability of KeePass.”
If the user has installed KeePass as a regular program and the attackers have write access, they can also “perform various kinds of attacks.” Threat actors can also replace the KeePass executable with malware if the user runs the portable version.
“In both cases, having write access to the KeePass configuration file typically implies that an attacker can actually perform much more powerful attacks than modifying the configuration file (and these attacks in the end can also affect KeePass, independent of a configuration file protection),” the KeePass developers explain.
“These attacks can only be prevented by keeping the environment secure (by using an anti-virus software, a firewall, not opening unknown e-mail attachments, etc.). KeePass cannot magically run securely in an insecure environment.”
However, even if the KeePass developers will not provide users with a version of the app that addresses the export to cleartext via triggers issue, you could still secure your database by logging in as a system admin and creating an enforced configuration file.
This type of config file takes precedence over settings described in global and local configuration files, including new triggers added by malicious actors, thus mitigating the CVE-2023-24055 issue.
Before using an enforced config file, you must also ensure that regular system users do not have write access to any files/folders in KeePass’ app directory.
And there’s also one more thing that could allow attackers to work around enforced configurations: using a KeePass executable launched from another folder than the one where your enforced config file was saved.
“Please note that an enforced configuration file only applies to the KeePass program in the same directory,” the KeePass development team says,
“If the user runs another copy of KeePass without an enforced configuration file, this copy does not know the enforced configuration file that is stored elsewhere, i.e. no settings are enforced.”