An independent researcher discovers a security hole in the well-known password manager KeePass that allows an attacker to recover the master password and gain access to the entire archive of user credentials.
Among the most famous and appreciated password managers, KeePass it is certainly one of the solutions that occupy a leading position. This password manager allows you to organize and securely store your credentials and other personal data in an encrypted database stored locally without relying on any cloud platform. KeePass has become the basis for many spin-off projects that have been developed within the open source community over the years.
Il database of KeePass is protected with a master password to which it is possible to combine the use of a key file (keyfile). The master password it is the main password that must be entered to access the contents of the KeePass database: it should be long, complex and unique to ensure maximum security. It should therefore be chosen in such a way that it is difficult to guess and, of course, it must never be used elsewhere.
Since, as we have observed, KeePass stores passwords locally, it is essential to take precautions for protect the device and the database file from unauthorized access or data loss. For example it is advisable to make regular backups of the database to avoid the accidental loss of data.
An independent researcher has recently published the code on GitHub proof-of-concept (PoC) which allows you to take advantage of a vulnerability just discovered in KeePass. Dubbed KeePass 2.X Master Password Dumper, the software allows you to recover the master password of KeePass from memory without executing malicious code and without needing KeePass to still be running.
The researcher explains that the security problem it has to do with how .NET works, the framework on which KeePass is based. When you type for example Passwordportions of the string remain in memory: the PoC looks for these “residues” within the data of dump and offers a probable character for each position.
At this point, the worst case scenario consists in the fact that a user with the physical availability of the PC can force access to KeePass by going back to the master password and recovering the entire credential store user personal. Malware or any other type of malicious component running on the system could also trace the master password.
Dominik Reichlcreator and developer of KeePass, said the vulnerability should be fixed in version 2.54 of the application which is expected to be released in July along with other security updates.
What to do to defend the KeePass master password
The question is, what can be done to prevent an attacker from capturing the KeePass master password and using it to steal the user’s login credentials?
As soon as it’s released KeePass 2.54 or later, you will need to proceed with the update immediately. In the meantime, though, if you’ve been using KeePass for a long time, chances are your master password (and potentially other passwords as well) is in your Windows page file and hibernation file.
As the author of the discovery says, depending on the “level of paranoia” of the user it is suggested to delete the hibernation file, remove the paging file, overwrite the free space on hard drives and SSDs to avoid data recovery (e.g. example with utility Cipher using the option /w).