A vulnerability in password manager KeePass (CVE-2023-32784) enables the extraction of the master password from the application's memory, allowing attackers with existing access to a vulnerable machine to retrieve the password, even when the database is locked.
A proof of concept (PoC) was published on May 18, 2023, and as of May 22 there is still no patch available for the vulnerability. The patch addressing this vulnerability was released in version
2.54.0. With a public PoC and no available patch, we expect to see exploitation attempts being made.
KeePass is an open-source password manager designed to enable users to create unique passwords for each of their accounts and store them in a local database, known as a password vault. To ensure the security of this password vault, users need to remember a single master password that is used to unlock it and access the credentials stored within.
The master password encrypts the vault, thereby preventing unauthorized access. However, if the master password is compromised, an attacker with access to the vault file can gain access to all the credentials stored in the database.
A proof of concept was published on May 18, 2023, demonstrating the ability to recover the KeePass master password, except for the first character, in plaintext form. This is possible regardless of whether the KeePass workspace is locked or even if the program is closed. It is a trivial task for an attacker to enumerate through all possibilities for the unknown first character, and therefore this vulnerability is functionally equivalent to leaking the complete password.
The root cause of this vulnerability is the use of a custom password entry box called
SecureTextBoxEx which leaves traces of each character entered by the user in-memory.
According to Wiz data, 15% of cloud environments have at least one instance of KeePass, with 10% running versions vulnerable to CVE-2023-32784.
KeePass password manager in versions newer than 2.0 up to the yet unreleased 2.54.
It is recommended to update your KeePass to the latest version as soon as possible.
While it is technically possible to use the following steps to mitigate the risk until a patch is made available, for most users these steps are not practical. Therefore, it would be best to ensure that VMs with vulnerable instances of KeePass are not publicly exposed or otherwise vulnerable to critical network vulnerabilities.
Change the KeePass master password on a regular basis ('File' → 'Change Master Key')
Delete crash dumps on a regular basis
Delete the hibernation file on a regular basis
swapfileon a regular basis
Overwrite deleted data on the HDD on a regular basis (to prevent file carving)
Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for vulnerable instances in their environment.