• KeePass : Warning KeePass vulnerability

    Home » Forums » Cyber Security Information and Advisories » Code Red – Security/Privacy advisories » KeePass : Warning KeePass vulnerability

    Author
    Topic
    Alex5723
    AskWoody Plus
    February 1, 2023 at 1:30 am #2530872

    An attacker who has write access to the KeePass configuration file can modify it and inject malicious triggers, e.g to obtain the cleartext passwords by adding an export trigger.

    KeePass Password Manager vulnerability: what you need to know

    ..The Federal Cyber Emergency Team of Belgium, cert.be, released a warning regarding KeePass. According to the warning, attackers with write access to the KeePass configuration file may modify it with triggers to export the entire password database in cleartext without user confirmation…

    The vulnerability described requires write access to the KeePass configuration file. An attacker has to add a trigger to the file that executes when a password database file is open to export the data silently in the background. Passwords are saved in clear text to a file and the attacker would need to obtain that file later on to gain access to all stored passwords…

    Keepass – https://keepass.info/help/kb/sec_issues.html#cfgw

    Write Access to Configuration File

    An attacker who has write access to the KeePass configuration file can modify it maliciously (for example, he could inject malicious triggers). This is not really a security vulnerability of KeePass though.

    If the user has installed KeePass using the setup program, the configuration file is stored in the user’s application data directory (in “%APPDATA%\KeePass”), which is within the user profile directory (“%USERPROFILE%”). In this case, having write access to the KeePass configuration file is typically equivalent to having write access to the user profile directory. Someone who has write access to the user profile directory can perform various kinds of attacks. For example, the attacker could add malware in the startup folder (“%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup”; the malware will run automatically after the next user logon), modify desktop shortcuts (in “%USERPROFILE%\Desktop”), manipulate the user’s registry (file “%USERPROFILE%\NTUSER.DAT”), modify configuration files of other applications (for instance to make a browser open a malicious website automatically), and so on.
    If the user is using the portable version of KeePass, the configuration file is stored in the application directory (which contains the “KeePass.exe” file). In this case, having write access to the KeePass configuration file is typically equivalent to having write access to the application directory. With this capability, an attacker can for instance simply replace the “KeePass.exe” file by some malware.
    In both cases, having write access to the KeePass configuration file typically implies that an attacker can actually perform much more powerful attacks than modifying the configuration file (and these attacks in the end can also affect KeePass, independent of a configuration file protection).

    These attacks can only be prevented by keeping the environment secure (by using an anti-virus software, a firewall, not opening unknown e-mail attachments, etc.). KeePass cannot magically run securely in an insecure environment…

    4 users thanked author for this post.
    TechTango, BobbyB, windbg, Fred
    Reply | Quote
    Viewing 5 reply threads
    Author
    Replies
    • Fred
      AskWoody Lounger
      February 1, 2023 at 1:53 am #2530880

      KeePass Enhanced Security Configuration

      Make your keepass more secure using the not very-well known KeePass enforced configuration file.

      https://github.com/onSec-fr/Keepass-Enhanced-Security-Configuration

      https://Cert.be  for more info

      .

      * _ ... _ *
      1 user thanked author for this post.
      Alex5723
      Reply | Quote
    • Paul T
      AskWoody MVP
      February 1, 2023 at 3:09 am #2530896

      This is VERY old news [1] and has been addressed on the KeePass site.
      It is NOT a vulnerability in KeePass, it is a computer vulnerability if a bad actor has physical access to your PC and logon.

      cheers, Paul

      [1] From 2010. https://sourceforge.net/p/keepass/discussion/329220/thread/d0ab63c8/

      Reply | Quote
      • Alex5723
        AskWoody Plus
        February 1, 2023 at 3:18 am #2530898

        It may be old news but Cert.be warning has been published on 27/01/2023

        Reply | Quote
      • Fred
        AskWoody Lounger
        February 1, 2023 at 3:20 am #2530899

        I am glad you know best, as always.
        Check the hardening section for “KeePass.config.enforced.xml”, you may learn 
        Thanks to Alex5723; for now I follow info from  http://cert.be 
        ..

        * _ ... _ *
        1 user thanked author for this post.
        Alex5723
        Reply | Quote
        • Paul T
          AskWoody MVP
          February 1, 2023 at 5:19 am #2530904

          An enforced config is no defense. If a bad actor has that access they can easily circumvent the enforced config.

          Enforcement is a useful administration adjunct for network admins, not a security control.

          cheers, Paul

          Reply | Quote
    • Paul T
      AskWoody MVP
      February 1, 2023 at 5:24 am #2530905

      From the Github link posted by Fred.

      Is my keepass database protected from an attacker who has access to my machine?

      Definitely not. There are multiple ways to recover passwords in memory, or by abusing certain features. Note that if the attacker has write access to your configuration file, he can simply modify or delete it.

      How to protect myself from the CVE-2023-24055 vulnerability ?

      This disputed “vulnerability” relies on triggers. You can disable them using the enhanced configuration file, or use a version 1.x that does not have this feature.

      cheers, Paul

      3 users thanked author for this post.
      Microfix, satrow, Alex5723
      Reply | Quote
    • Paul T
      AskWoody MVP
      February 8, 2023 at 8:05 am #2532626

      KeePass 2.53.1 is out.

      Removed the ‘Export – No Key Repeat’ application policy flag; KeePass now always asks for the current master key when trying to export data.

      cheers, Paul

      3 users thanked author for this post.
      windbg, WSdabble, Microfix
      Reply | Quote
    • Alex5723
      AskWoody Plus
      February 10, 2023 at 2:09 am #2533106

      KeePass 2.53.1 password manager resolves vulnerability controversy

      KeePass 2.53.1 is a new update for the password manager that addresses a potential vulnerability in the application.

      Last week, word about a vulnerability in the password manager spread online. Reported by the Federal Cyber Emergency Team of Belgium, it revolved around the application’s trigger mechanism.

      Using a specific trigger, an attacker could export the entire password database to another file. The main issue that Belgium’s Federal Cyber Emergency Team saw was that KeePass did not prompt the user for the master password before allowing the export of passwords to commence.

      KeePass itself disputed the vulnerability, stating that malicious actors needed write access on the system and that the access would give them even more malicious options, including replacing the KeePass executable file, running malicious programs on the system, or modifying autostart and configurations on the system…

      The point release addresses the issue. The official changelog highlights the fact: “Removed the ‘Export – No Key Repeat’ application policy flag; KeePass now always asks for the current master key when trying to export data.”.

      In other words: KeePass will prompt the user for confirmation before export data operations. Confirmation is given with the user’s primary password, which needs to be entered before data exports begin…

      1 user thanked author for this post.
      Fred
      Reply | Quote
    • JC Zorkoff
      AskWoody Plus
      February 10, 2023 at 8:04 am #2533154

      This makes no sense the way it was implemented.

      I just exported my KeePass database with Version 2.53.1 and it did ask for my password as stated.

      Then I used KeePass Version 2.52 and exported the SAME database and I was not blocked from the export.

      So if I want to bypass the new password rule, all I have to do is use an older version. This is not very secure!

       

      Reply | Quote
      • Paul T
        AskWoody MVP
        February 10, 2023 at 10:58 am #2533215

        It is secure if you have the installed version – no write access to the install directory.

        If your machine is so badly compromised that an attacker can write any program and persuade you to run it, you have already lost everything.

        cheers, Paul

        1 user thanked author for this post.
        NaNoNyMouse
        Reply | Quote
    Viewing 5 reply threads
    Reply To: KeePass : Warning KeePass vulnerability

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information:




DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    May 2025
    S M T W T F S
     123
    45678910
    11121314151617
    18192021222324
    25262728293031

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.