As we close out 2023, we at Security Boulevard wanted to highlight the most popular articles of the year. Following is the latest in our series of the Best of 2023.
The issue is that KeePass has this weird feature that queues up a cleartext password export for the next time you authenticate. And that feature is itself configured via a plain-text config file, writable in the user’s security context.
This strikes many as dangerous. However, Reichl blames the victim, saying an exploit would be the notional user’s fault for using an insecure device. In today’s SB Blogwatch, we dig in.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Billie Eyelash.
What’s the craic? Alex Hernandez reports a vulnerability—“CVE-2023-24055”:
An attacker who has write access to the KeePass configuration file KeePass.config.xml … can modify it and inject malicious triggers—e.g., to obtain the cleartext passwords by adding an export trigger.
…
Victim will open KeePass as normal [and] the trigger will executed in background, exfiltrating the credentials [in] cleartext.
All this so soon after the LastPass and LifeLock scares? Sergiu Gatlan felt a great disturbance in The Force—“KeePass disputes vulnerability”:
“KeePass cannot magically run securely”
KeePass is a very popular open-source password manager that allows you to manage your passwords using a locally stored database, rather than a cloud-hosted one, such as LastPass or Bitwarden. … The new vulnerability … enables threat actors with write access to a target’s system to alter the KeePass XML configuration file and inject a malicious trigger that would export the database, including all usernames and passwords in cleartext.
…
This export process launches in the background without the user being notified or KeePass requesting the master password to be entered as confirmation before exporting, allowing the threat actor to quietly gain access to all of the stored passwords. … Since CVE-2023-24055 was assigned, a proof-of-concept exploit has already been shared online, likely making it easier for malware developers to upgrade information stealers with the ability to dump and steal the contents of KeePass databases.
…
[But] the KeePass development team is arguing that this shouldn’t be classified as a vulnerability: … ”These attacks can only be prevented by keeping the environment secure. … KeePass cannot magically run securely in an insecure environment.”
But is that attitude entirely reasonable? Jack Poller says no—“KeePass disputes report of flaw”:
“I am surprised and flummoxed”
As best as I can tell, Dominick [the KeePass dev] believes that if an attacker has access to the user’s PC [then he] should not take any extra steps to prevent the attacker from decrypting the password database. … But that’s the opposite of the new paradigm being adopted for cybersecurity strategy: Zero trust—where we trust no one, and require continuous authentication and authorization for every transaction.
…
I am surprised and flummoxed by Dominick’s continuing reluctance to make this change. … As we suffer more breaches, we’re coming to learn that almost all information is sensitive, and should be encrypted to prevent unauthorized access, especially when exfiltrated.
Flummoxed indeed? And so is Chris:
“A chain is as strong as its weakest link”
If an attacker modifies the xml config file (adding an export trigger on ‘Opened database file’) he will be able to export all the passwords, without us knowing it. Shouldn’t the user be asked to confirm before exporting? … If a password manager is as secure as a plain text configuration file, why should I use it instead of a spreadsheet to store my passwords?
…
Why do you use KeePass? … I don’t use it so that an attacker can easily access all my passwords, at once, using notepad. … Someone can ask to export all your passwords in clear text … without notification or confirmation. … And how many know that?
…
Having multiple layers of security is better. The KeePass application security layer seems too light and the risk is very important. … In a sensitive application, the password is requested. … A chain is as strong as its weakest link.
Some say there are workaround config settings. briHass says they should be the default:
“The most important things on my device”
I’d recommend going (and I do) one step further: Lock down the KeePass config file [and] keyfile … to admins only and set the .exe to launch as administrator. The .exe is signed, so at least you have some guarantee it hasn’t been modified. Plus, the UAC prompt doesn’t look scary like it does for unsigned exes.
…
Executables running as administrator have all sorts of protections from other processes in user-land, and most importantly, the keyfile (locked to R/W only by admin) can’t be … exfiltrated by a bog-standard malware process accidentally launched by clicking the wrong thing. It never made sense to me why this isn’t [the default].
…
My password DB, and especially the keyfile and/or the process that decrypts the secrets in memory, are the most important things on my device. Those belong at the highest level of security an OS can offer, not running at the same level as some **** I downloaded from the internet.
Ah yes, the tyranny of the default. usrusr alleges the tyranny of Dominik Reichl:
“Unsafe defaults”
Unsafe defaults like “we run all plugins, unless someone goes through all the right motions of closing that door in all the right config.xml, config.enforced.xml” … are just terrible. Terrible for any software, and worse for a piece of software that has no purpose at all besides security. What if there’s a typo in your lockdown incantations?
…
That CVE [is] a warning: Avoid security related software from people who enjoy keeping a security edge over the unwashed masses who aren’t in the know, who don’t get a kick out of locking down. Because that’s why they keep the unsafe defaults, they keep them because they enjoy going the extra mile for their own safety.
The other argument is that Windows is garbage anyway. That doesn’t wash with ras:
This isn’t hard to fix. … All they have to do is authenticate the config file or at least some parts of it.
…
Their excuse for not doing this … ”There is no point because the OS is weak already,” doesn’t seem like a good reason not to do it. The OS may be hardened. … If they refuse to fix their side, KeePass will never be hardened.
So which password manager is actually secure? kvh suggestifies thuswise:
Bitwarden doesn’t have this particular issue:
1. BitWarden does not store configuration in an unecrypted local file. … Nor, on Windows, in the Registry. This means there is no file that can be secretly updated with new configuration options.
2. Bitwarden doesn’t have a way to automatically export the database to a plain text file. All exports require going through the UI.
What a mess. jonathanstrange cuts to the chase:
That feature is extremely insecure and makes no sense for a password manager. It ought not be possible to trigger anything in an unencrypted document or install/run anything over plaintext data without first providing the master passphrase for that password document. That should be obvious.
…
You have to think about security as being layered. … There shouldn’t be any way to export plaintext data without explicit user feedback and confirmation in the first place. That this is triggered by an unprotected global configuration file is just the icing on the cake.
Where do we send the angry mob with their flaming pitchforks? maevius puts the blame squarely on Dominik Reichl:
Saying, “Oh the PC is compromised, all is lost,” is a very nihilistic way of handling this issue. … If this argument sticks, why not just use an Excel file? The developers of KeePass are very emotionally defensive and dismissive on this. … A fix is quite simple.
Meanwhile, here’s menzoic’s pithy pile-on:
Such a trash response from a provider of software that’s supposed to protect sensitive data.
A puntastic, back-to-basics return to form for D.O.
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Daniel Herron (via Unsplash; leveled and cropped)
Recent Articles By Author