KeePass releases fix for password-leaking security bug

Sead Fadilpašić

6 June 2023 at 10:30 am·2-min read

KeePass logo padlock

Over the weekend, the password management tool KeePass was updated to address a high-severity vulnerability which allowed threat actors to exfiltrate the master password in cleartext.

Users with KeePass versions 2.x are advised to bring their instances to version 2.54 to eliminate the threat. Those using KeePass 1.x, Strongbox, or KeePass XC, are not vulnerable to the flaw and thus don’t need to migrate to the new version, if they don’t want to.

Those that cannot apply the patch for whatever reason should reset their master password, delete crash dumps and hibernation files, and swap files that could hold pieces of their master password. In more extreme cases, they could reinstall their operating system.

Leftover strings

In mid-May, it was announced that the password management tool was vulnerable to CVE-2023-32784, a flaw that allowed threat actors to partially extract the KeePass master password from the application’s memory dump. The master password would come in cleartext. The vulnerability was discovered by a threat researcher going by the alias “vdohney”, who also released a proof-of-concept for the flaw.

As explained by the researcher, the problem was found in SecureTextBoxEx: “Because of the way it processes input, when the user types the password, there will be leftover strings,” they said. "For example, when "Password" is typed, it will result in these leftover strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d."

> Top password manager denies its entire database can be stolen

> This vicious new malware version is now targeting password managers

> These are the best authenticator apps around

Consequently, an attacker would be able to recover almost all master password characters, even if the workspace is locked, or the program was recently shut down.

In theory, a threat actor could deploy an infostealer or a similar malware variant to dump the program’s memory and send it, together with the password manager’s database, back to a server under the attacker’s control.

From there, they’d be able to exfiltrate the master password without being pressed for time. With password managers, a master password is used to decrypt and access the database holding all other passwords.

See if KeePass is one of our contenders for the best password manager

Via: BleepingComputer

Malay Mail
Police: Man sodomised by foreigner he met in PJ condo gym
PETALING JAYA, July 6 — A local man has alleged he was sodomised against his will by a foreigner he met at the gym of th...
Malay Mail
Umno veterans question low Chinese voter turnout at Sg Bakap
KUALA LUMPUR, July 7 — The Umno Veterans Club today expressed concern over the low turnout of Chinese voters during the...
Malay Mail
Malaysian film director Mansor Puteh dies, 70, dies in accident
PETALING JAYA, July 7 — Film director and critic Mansor Puteh, 70, passed away after the car he was driving skidded and...
The Guardian
Portugal v France: a galactic battle lost in the black hole of one man’s ego
This Euro 2024 clash could have been an all-time great quarter-final, and instead a part of it was stolen
Reuters
China anchors 'monster ship' in South China Sea, Philippine coast guard says
The Philippine Coast Guard (PCG) said on Saturday that China's largest coastguard vessel has anchored in Manila's exclusive economic zone (EEZ) in the South China Sea, and is meant to intimidate its smaller Asian neighbour. The China coastguard's 165-meter 'monster ship' entered Manila's 200-nautical mile EEZ on July 2, spokesperson for the PCG Jay Tarriela told a news forum. The PCG warned the Chinese vessel it was in the Philippine's EEZ and asked about their intentions, he said.
Malay Mail
In Section 19 PJ, the newly-opened Jing Cheng Beijing Roasted Duck scores a hit with Beijing-style roast duck
PETALING JAYA, July 7 — Earlier this year, I wrote about The Golden Time, one of the five restaurants located on the gro...
INSIDER
Kamala Harris won't save Democrats if she takes over for Biden, warns historian who correctly predicted 9 of the last 10 elections
Professor Allan Lichtman told WSJ that based on his election model, President Joe Biden remains the Democrats' best shot for the White House in 2024.
Malay Mail
Immigration nabs 75 in Klang Valley prostitution crackdown
KUALA LUMPUR, July 6 — The Immigration Department conducted a crackdown on a foreign prostitution syndicate in the Klang...
The Telegraph
‘Everything they touch will turn to gold’: What’s next for the Sunaks?
It’s all over for Rishi Sunak now that his party has lost the general election in emphatic fashion – despite retaining his seat, this is surely the beginning of the end of his frontline political career as he serves out the last of his days as leader of the party.
People
Heidi Klum’s Husband Tom Kaulitz Pats Her Butt Before Gondola Ride During Romantic Venice Vacation
The couple were joined by Kaulitz's twin brother, Bill, for the afternoon outing during their getaway in Italy
The Telegraph
Cristiano Ronaldo looks lost as Portugal lose to France in penalty shoot-out at Euro 2024
When it was finally over Cristiano Ronaldo turned away, pulled the captain’s armband from his sleeve and wandered off – if this is not the end for him in international football then he will be in his fifth decade by the time of the next World Cup finals.
The Telegraph
British Jews have reason to be frightened. This time it’s not Labour
On October 8, as the world was beginning to comprehend what had just happened in southern Israel, most decent people – including many who would go on to decry Israel’s retaliatory campaign – expressed genuine horror at what Gaza’s Islamist barbarians had done. But a substantial minority was openly cheering. Not just in Turkey and Iran, but in Toronto and London.
The Guardian
International students left feeling like ‘cash cows’ after Albanese government raises visa fees
Surprise increase makes Australian visa application fee among most expensive in the world, as new survey finds rising costs putting prospective students off
RFI
Carmakers unhappy after EU hits China with tariffs on electric vehicles
The European Union has slapped extra provisional duties of up to 38 percent on Chinese electric car imports because of "unfair" state subsidies, despite Beijing's warnings the move would unleash a trade war. But company reps in both China and Europe are critical of the steps. Brussels launched an investigation last year into Chinese electric vehicle manufacturers to probe whether state subsidies were unfairly undercutting European automakers.Since announcing the planned tariff hike last month, o
The Telegraph
From late-night text to mother’s fury: How the Murray-Raducanu Wimbledon saga unfolded
A whole 11 minutes after news broke that Emma Raducanu had pulled out from her mixed doubles appearance with her son, Judy Murray could not hide her feelings any longer.
Malay Mail
Beyond’s Hai Kuo Tian Kong still a hit among Malaysians of all races after 31 years (VIDEO)
KUALA LUMPUR, July 7 — It’s been 31 years since the release of Hong Kong rock band, Beyond's Hai Kuo Tian Kong (Boundles...
The Telegraph
China’s dirty and dangerous race to become a space superpower
It was supposed to be a moment of triumph for China’s space industry. The 180ft Long March 3B rocket stood on the launch pad, ready to carry an American-made satellite into orbit on its debut mission.
People
Megan Fox and Machine Gun Kelly Wear Matching All-White Outfits for Rare Date Night at Fourth of July Party
The on-again-off-again couple celebrated the holiday in the Hamptons
The Telegraph
Ukraine goes to war... with Western moneymen
For months, the West’s most respected military experts have been insisting that Vladimir Putin’s war machine is close to running out of steam in Ukraine. However, it is a prediction that seems completely at odds with the reality of life for millions of Ukrainians living close to the frontline.
Malay Mail
Umany: PM Anwar’s 10A policy fails to address admission inequity
KUALA LUMPUR, July 6 — The government must clarify its guarantee of matriculation spots for all 10A SPM scorers to preve...

Leftover strings

Latest stories