KeePass releases fix for password-leaking security bug
Date:
Tue, 06 Jun 2023 14:30:27 +0000
Description:
A bug allowed threat actors to pull master passwords in cleartext.
FULL STORY ======================================================================
Over the weekend, the password management tool KeePass was updated to address a high-severity vulnerability which allowed threat actors to exfiltrate the master password in cleartext.
Users with KeePass versions 2.x are advised to bring their instances to version 2.54 to eliminate the threat. Those using KeePass 1.x, Strongbox, or KeePass XC, are not vulnerable to the flaw and thus dont need to migrate to the new version, if they dont want to.
Those that cannot apply the patch for whatever reason should reset their master password, delete crash dumps and hibernation files, and swap files
that could hold pieces of their master password. In more extreme cases, they could reinstall their operating system. Leftover strings
In mid-May, it was announced that the password management tool was vulnerable to CVE-2023-32784, a flaw that allowed threat actors to partially extract the KeePass master password from the applications memory dump. The master
password would come in cleartext. The vulnerability was discovered by a
threat researcher going by the alias vdohney, who also released a proof-of-concept for the flaw.
As explained by the researcher, the problem was found in SecureTextBoxEx: Because of the way it processes input, when the user types the password,
there will be leftover strings, they said. "For example, when "Password" is typed, it will result in these leftover strings: a, s, s, w, o, r, d." read more
Top password manager denies its entire database can be stolen
This vicious new malware version is now targeting password managers
These are the best authenticator apps around
Consequently, an attacker would be able to recover almost all master password characters, even if the workspace is locked, or the program was recently shut down.
In theory, a threat actor could deploy an infostealer or a similar malware variant to dump the programs memory and send it, together with the password managers database, back to a server under the attackers control.
From there, theyd be able to exfiltrate the master password without being pressed for time. With password managers, a master password is used to
decrypt and access the database holding all other passwords. See if KeePass
is one of our contenders for the best password manager
Via: BleepingComputer
======================================================================
Link to news story:
https://www.techradar.com/news/keepass-releases-fix-for-password-leaking-secur ity-bug
--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)