Security News > 2023 > May > Serious Security: That KeePass “master password crack”, and what we can learn from it
Simply put, the CVE-2023-32784 vulnerability means that a KeePass master password might be recoverable from system data even after the KeyPass program has exited, because sufficient information about your password might get left behind in sytem swap or sleep files, where allocated system memory may end up saved for later.
A long-term password leak in memory also means that the password could, in theory, be recovered from a memory dump of the KeyPass program, even if that dump was grabbed long after you'd typed the password in, and long after the KeePass itself had no more need to keep it around.
Even if the programmer avoided storing the entire master password on one place after he'd finished with it, could attackers with access to a memory dump nevertheless find enough left-over temporary data to guess at or recover the master password anyway, even if those attackers got access to your computer minutes, hours, or days after you'd typed the password in ?.
To be clear, we don't think that your actual master password can be recovered as a single text string from a KeePass memory dump, because the author created a special function for master password entry that goes out of its way to avoid storing the full password where it could easily be spotted and sniffed out.
In widechar text strings on Windows, the "Blob" character is encoded in RAM as the hex byte 0xCF followed by 0x25. So, even if KeePass is taking great care with the raw characters you type in when you enter the password itself, you might end up with left-over strings of "Blob" characters, easily detectable in memory as repeated runs such as CF25CF25 or CF25CF25CF25.
Those placeholder "Blob" strings do indeed seem to be leaking into memory and staying behind to leak the password length, long after the KeePass software has finished with your master password.
News URL
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-05-15 | CVE-2023-32784 | Cleartext Transmission of Sensitive Information vulnerability in Keepass In KeePass 2.x before 2.54, it is possible to recover the cleartext master password from a memory dump, even when a workspace is locked or no longer running. | 7.5 |