Author

Topic: KeePass vulnerability: Recover master pwd in clear text from memory dump (Read 136 times)

hero member
Activity: 2520
Merit: 952
legendary
Activity: 2758
Merit: 6830
2.54 is not out yet.

To clarify, "within the next two months" was meant as an upper bound. The other features that I'm currently working on (which are also related to security and which I don't want to postpone) are almost finished; a realistic estimate for the KeePass 2.54 release probably is "in the beginning of June" (i.e. 2-3 weeks), but I cannot guarantee that.

Best regards,
Dominik

But if anyone is worried, there is a development snapshot with corrections: https://keepass.info/filepool/KeePass_230507.zip

Of course, you should verify the link through the developer's own comment on SourceForge: https://sourceforge.net/p/keepass/discussion/329220/thread/f3438e6283/?limit=25#0829

FYI: It's KeePass, not KeyPass.
legendary
Activity: 1596
Merit: 1288
It is a kind of physical attack or RAM access, but it is unfortunate to see what happened with an open source program. It is better to keep the passwords encrypted in a password manager, so even if the hackers gain access to the hemorrhoid management program, they still need to access the private key from For decryption, which you can keep in an offline environment.

Thanks for the warning and it is better not to trust the default in open source software.
legendary
Activity: 2758
Merit: 6830
Important thing to mention, from the SourceForge discussion:

Quote
An attacker needs read access to your filesystem or your RAM. Realistically, if your computer is infected by malware that's running in the background, this doesn't make it much worse - for that you could already be attacked by e.g. KeeFarce etc. (and there's no protection against that without specialized HW).

Unless you expect to be specifically targeted by someone sophisticated, I would keep calm. The issue here could be, say, someone stealing your computer and taking the HDD out. It's not eniterely unrealistic, after all that's what the police will try to do in a raid. You can find several companies developing special forensic software for these kinds of scenarios. But it's really not what most people should panic about. If you use full disk encryption with a strong password, it gets even more unlikely.

This finding alone doesn't allow anyone to steal your passwords remotely over the internet.

So not as troublesome as it sounds (still a big problem, of course).
hero member
Activity: 868
Merit: 952
This is not the best option to take as a means of storing your keys since it a software development by some set of people you can't talk much about, i believe there are many orher means one can use to secure his seeds or keys using examples like washers, plated metalic sheet, laminated paper or any other offline means that can handles our wallet keys safe, not only this, we can alwa avoid a third party to have access to them, and always ensure that the computer system you're using is not always connected to the internet, which means your wallet has to be on an airgapped device.

Although I don’t recommend saving passwords online not just because of the vulnerability to attacks but also this makes one to rely on them total and can cause one to forget the password total. But when it comes to password managers I think KeePassXC is one of the highly recommended ones by the forum community. It is open source and the seeds or passwords generated can be stored on encrypted form where only you can access it.
hero member
Activity: 714
Merit: 521
DGbet.fun - Crypto Sportsbook
If you use Keypass, remember to upgrade it to version 2.54 as soon as it becomes available, this vulnerability affects keepass 2.x (users of keepassXC/Strongbox/KeePass 1.x are unaffected).

This is not the best option to take as a means of storing your keys since it a software development by some set of people you can't talk much about, i believe there are many orher means one can use to secure his seeds or keys using examples like washers, plated metalic sheet, laminated paper or any other offline means that can handles our wallet keys safe, not only this, we can alwa avoid a third party to have access to them, and always ensure that the computer system you're using is not always connected to the internet, which means your wallet has to be on an airgapped device.
legendary
Activity: 3472
Merit: 3217
Playbet.io - Crypto Casino and Sportsbook
I don't think it's a good idea to use a software or password manager with a vulnerability issue just like before when someone's password was compromised. All of his coins were withdrawn and he also used a password manager. So it's not safe to use any password manager if you want to use a password manager then only use it if there is no money involved on that site. Sample Twitter account and Facebook I use password manager from Chrome only for social media accounts and sites that have no money involved.

So upgrading to the latest version wouldn't help to save your compromised password it would be better to use a piece of paper to write all of your passwords and put it in your wallet(That's the offline way and safer than password manager/PC that still connected to the internet).
member
Activity: 342
Merit: 40
Low Fidelity High Potential
Yes. That righ OP, There was a vulnerability in KeyPass versions 2.x prior to 2.54, which could compromise the security of the user's master password and it is imperative that KeyPass users upgrade to version 2.54 as soon as it is available to ensure the safety of their sensitive data.
hero member
Activity: 2520
Merit: 952
If you use KeePass, remember to upgrade it to version 2.54 as soon as it becomes available, this vulnerability affects KeePass 2.x (users of KeePass/Strongbox/KeePass 1.x are unaffected).

Quote
In KeePass 2.x before 2.54, it is possible to recover the clear text master password from a memory dump, even when a workspace is locked or no longer running. The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system. The first character cannot be recovered. In 2.54, there is different API usage and/or random string insertion for mitigation.

Source: CVE




Thread where this vulnerability was exposed: Sourceforge



This is PSA thread. I don't understand technical jargon mentioned in above sites  Tongue

___

Edit: KeePass 2.54 released: Download





Jump to: