KeePass vulnerability on computers

Forums › Desktop computing › KeePass vulnerability on computers

MartinGZ

376 posts

Ultimate Geek
+1 received by user: 128

Subscriber

#303489 13-Feb-2023 22:37

To quote:
"In short, the attack involves editing the KeePass configuration file to create an action that triggers when the database is saved. This causes KeePass to export the password database to a plain text file without requiring the master password. Another trigger then uploads this exported file to a server waiting to receive it."

This needs local access or a trojan.

The reply from the author was a bit dismaying:
"Dominik Reichl, brushed off the supposed vulnerability. He argued that anyone with enough privilege to edit the configuration file can cause even more damage and dismissed the need for a change in KeePass. He stated that KeePass cannot guarantee security in an insecure environment."

https://www.ghacks.net/2023/02/11/keepass-isnt-as-safe-as-we-once-thought-heres-why/

I used to like KeePass and moved from that to Bitwarden for a variety of reasons. Mainly to get cross platform use that was only available by using KeePass third party plug-ins, something I wasn't comfortable with, and also pointed out in the article.

Edit: create hyperlink.

mattwnz

20515 posts

Uber Geek
+1 received by user: 4795

#3036206 13-Feb-2023 23:41

This is one I was considering using. It makes me wonder if it is safe using any of them. BW is one I think I will go with in the future, but you still don't really know.

marpada

487 posts

Ultimate Geek
+1 received by user: 182

#3036208 13-Feb-2023 23:57

It would be good to know if the vulnerability affects KeePassXC

SirHumphreyAppleby

2938 posts

Uber Geek
+1 received by user: 1860

#3036224 14-Feb-2023 02:35

marpada:

It would be good to know if the vulnerability affects KeePassXC

KeePassXC does not support triggers.

davidcole

6099 posts

Uber Geek
+1 received by user: 1465

Trusted

#3036249 14-Feb-2023 08:08

Also someone has to get access to you machine to introduce the trigger. I dont think they can be introduced via a database (which would be the only bit that might be online is a user chooses that). And I guess an infected binary could do it.

Previously known as psycik

Home Assistant: Gigabyte AMD A8 Brix, Home Assistant with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Shelly Humidity and Temperature sensors
Media:Chromecast v2, ATV4 4k, ATV4, HDHomeRun Dual
Server Host Plex Server 3x3TB, 4x4TB using MergerFS, Samsung 850 evo 512 GB SSD, Proxmox Server with 1xW10, 2xUbuntu 22.04 LTS, Backblaze Backups, usenetprime.com fastmail.com Sharesies Trakt.TV Sharesight

xpd

Geek of Coastguard
14115 posts

Uber Geek
+1 received by user: 4574

Retired Mod

ID Verified

Trusted

Lifetime subscriber

#3036271 14-Feb-2023 09:32

Not concerned, as mentioned, an attacker would need access to the file to start with, so if theyre already on your network, youve got big problems.

XPD / Gavin

LinkTree

davidcole

6099 posts

Uber Geek
+1 received by user: 1465

Trusted

#3036274 14-Feb-2023 09:39

Just while talking keepass/keepassxc

How secure for passwords as stuff do people go on their DB? I actually only use a simple PIN, but it's combined with a key file that each machine has to also possess.

Lenovo

Shop now for Lenovo laptops and other devices (affiliate link).

mentalinc

3384 posts

Uber Geek
+1 received by user: 1023

Trusted

#3036305 14-Feb-2023 10:48

There is also an updated version that removes the export functionality

CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB: Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX

MartinGZ

376 posts

Ultimate Geek
+1 received by user: 128

Subscriber

#3036328 14-Feb-2023 12:09

mentalinc: There is also an updated version that removes the export functionality

Out of interest I looked through their forum and what you say is not strictly true as I read it. The config file can still be altered, but if an export is asked for, the user is asked for their master password, with no other warning.

"Yes, keepass asks for a second time for the password but with the same login mask with a slightly modified popup title: "Enter current Master Key (Export)"

A normal User will think, he mistyped the master password the first time and will enter the password again. The second time the export will trigger and the attacker will still get the exported clear text password again."

https://sourceforge.net/p/keepass/discussion/329220/thread/a146e5cf6b/?page=9#7875

After that the thread gets a bit boring with Yes it's fixed, No it is not type arguements.

KeePass is a good product, it's just a shame that sometimes developers get a little bit defensive about issues.

MartinGZ

376 posts

Ultimate Geek
+1 received by user: 128

Subscriber

#3036330 14-Feb-2023 12:24

xpd:

Not concerned, as mentioned, an attacker would need access to the file to start with, so if theyre already on your network, youve got big problems.

Not an arguement I go along with. So along with network/pc problems, you now have to sort out changing all your passwords? No thanks, the two are separate issues. In this case, the passwords would have been exported and you would not be aware there is any issue on the pc. Why would an attacker draw attention to themselves before they have had a chance to use the passwords?

davidcole

6099 posts

Uber Geek
+1 received by user: 1465

Trusted

#3036392 14-Feb-2023 13:38

I still come back to how is the configuration file being updated to add these triggers to run the export? I'd have thought a bigger vulnerability in keepass is the fact there are plugins.....partially a reason I moved to keepassxc....and why I don't run browser extensions. Passwords are only entered via auto type settings.