A vulnerability has been discovered in the popular password manager KeePass, which, if exploited, allows the master password to be extracted from the application’s memory. This allows attackers who managed to compromise the victim’s device to steal all the passwords stored in the manager, even if the database is locked.
The mentioned vulnerability is tracked under the identifier CVE-2023-3278. It was discovered by a researcher in the field of information security who goes by the nickname vdohney. He published a brief description of the problem and a PoC exploit that exploited the KeePass vulnerability on GitHub. The problem affects KeePass 2.53 and earlier versions of the application.
The fact is that in KeePass the SecureTextBoxEx field is used to enter a password, which stores the characters entered by the user in plain text in memory. This means that it is enough for an attacker to get a memory dump. It can be a memory dump of a process, a pagefile.sys swap file, a hiberfil.sys hibernation file, various crash dumps, or a memory dump of the entire system. It also doesn’t matter if the workspace is locked or not, or if KeePass is running.
The exploit was tested on Windows, but a patched version is likely to work on macOS as well, since the vulnerability is related to the way the application handles data when entering a password, and not to the operating system itself. The vulnerability is expected to be in KeePass 2.54, which is due to be released in the next few weeks.