Get in Touch
KeePass contests vulnerability permitting password theft
Indiscriminate, opportunistic targeting.
Severity Level: High. Note: the vendor’s position is that the password database is not intended to be secured against a threat actor who has obtained the appropriate level of access to the target system.
The development team associated with the password management software, KeePass, is disputing what has been reported as a newly found vulnerability that allows threat actors to export the entire database in plain text, in a manner of stealth.
KeePass is an open-source password manager that permits one to manage their passwords, whilst utilising a locally stored database, as opposed to a cloud-hosted equivalent, such as: LastPass or Bitwarden.
The vulnerability is being tracked as CVE-2023-24055, and it grants threat actors with write access to a target system to alter the KeePass XML configuration file and inject a malicious trigger that would export the database, including all usernames and passwords in cleartext. As a result, when the target launches KeePass and enters the master password to open and decrypt the database, the export rule will be triggered, and as such, the contents of the database will be saved to a file that the responsible threat actors can later exfiltrate to a system under their control.
This process operates in a mode of stealth in the background without the target being notified or from the KeePass software requesting the master password to be entered as verification prior to exportation, thus allowing the threat actor to obtain access to all of the stored passwords, in cleartext.
The KeePass development team has contested that this security issue should not be classified as a vulnerability, given that threat actors with write access to a target system can also obtain the information contained within the KeePass database via alternative methods. This has been documented within the KeePass Help Centre Webpage.
Successful exploitation of this vulnerability will allow a suspecting threat actor to obtain the cleartext passwords from the database, via the addition of an export trigger, whilst they retain write access to the associated XML configuration file.
Exploitation of this vulnerability will grant access to third-party credentials and thus provide initial access to compromised systems, initiating further targeting.
Due to the current disputes regarding the vulnerability, KeePass has yet to release the relevant security patch for the affected products. As such, previous versions are vulnerable to potential exploits.
KeePass versions 2.53 and below.
Containment, Mitigations & Remediations
The KeePass developers have stated that the nature of the vulnerability means that only generic mitigation strategies can be implemented, such as:
– Using trusted anti-virus software
– Using trusted firewall programme
– Not opening unknown email attachments.
However, cyber security researchers from SOC Prime have further elaborated on the above as a result of more concentrated investigative efforts. In this context, users have been advised to adhere to the following mitigation recommendations:
– Encrypt the password database, utilising a master password, to prevent the threat actor from stealing the database and automatically gaining access to the contents stored therein
– Prior to using an enforced configuration file, the user must also ensure that regular system users do not have write access to any files or folders in the KeePass application directory
– Log in as a system administrator and create an enforced configuration file.
It has also been reported that the associated XML configuration file takes precedence over the software settings described in global and local configuration files, including new triggers added by malicious threat actors. As such, this serves to mitigate the CVE-2023-24055 vulnerability.
Indicators of Compromise
The vulnerability reported on is currently under dispute by the software developers and is therefore being subjected to continued analysis. As such, any Indicators of Compromise (IoC) are yet to be classified.
Due to a proof-of-concept (PoC) exploit code having been released, coupled with the fact that KeePass is one of the most popular password manager platforms used globally, the vulnerability reported on remains a lucrative target for cyber threat actors.
No specific threat groups have been connected to this exploit.
– T1555– Credentials from Password Stores
– T1567 – Exfiltration Over Web Service