KeePass Password Manager Users Beware.
The password manager is popular, open-source, that allows you to manage your passwords storing them locally in an encrypted database for Linux or Windows.
To secure the local databases, a user can encrypt them using a master password so that malware or a threat actor can't just steal the database and automatically gain access to the passwords stored within it, you think, right?
Now this would be easily fixed if the programmers behind it, would just simply add a notification that lets the user click an Yes or No button. However, the programmers disputes this and as such, you should change to another software for your own safety.
Is your system compromised:
If your system is compromised, you are basically fucked.
A new vulnerability tracked as CVE-2023-24055, enables threat actors to write access to the target's system, allowing them to alter the KeePass XML configuration file and inject a malicious trigger that would export the entire database, including all usernames and passwords in clear text.
It works like this: The next time you launch KeePass and enter your master password to open and decrypt the database, the export rule will be triggered and the contents of your database will be saved to a file, which the attackers can exfiltrate from your system.
A proof-of-concept exploit has already been posted online, making it easier for malware developers to upgrade information stealers with the ability to dump and steal the contents of KeePass databases on compromised devices.
CERT teams of Belgium and Netherlands have issued security advisories regarding CVE-2023-24055, but the KeePass development team is arguing that this shouldn't be classified as a vulnerability given that attackers with write access to a target's device can also obtain the information contained within the KeePass database through other means.
Looking at "Security Issues" page on the KeePass Help Center describes the "Write Access to Configuration File" issue since April 2019 as "not really a security vulnerability of KeePass."
If the user has installed KeePass as a regular program and the attackers have write access, they can also "perform various kinds of attacks." Threat actors can also replace the KeePass executable with malware if the user runs the portable version.
"In both cases, having write access to the KeePass configuration file typically implies that an attacker can actually perform much more powerful attacks than modifying the configuration file (and these attacks in the end can also affect KeePass, independent of a configuration file protection)," the KeePass developers says.
"These attacks can only be prevented by keeping the environment secure (by using an anti-virus software, a firewall, not opening unknown e-mail attachments, etc.). KeePass cannot magically run securely in an insecure environment."
The KeePass developers does not seem to care very much, so what you can do if you can't or won't coff up the money for a secure solution like "NordPass", then create an "enforced configuration file".
This type of config file takes precedence over settings described in global and local configuration files, including new triggers added by malicious actors, mitigating the CVE-2023-24055 issue, if normal users do not have write access to any files/folders in KeePass' app directory.
Also worth noting is: If the attackers launch a KeePass executable from another location within your system, without an enforced configuration file. You are f..ked !!!
How about ditching the loosing team and change for the winning team here.
That being said, so far NordPass has not been compromised.
"If the user runs another copy of KeePass without an enforced configuration file, this copy does not know the enforced configuration file that is stored elsewhere, i.e. no settings are enforced."
►KeePass Developers Site
