The developer has now closed a much-discussed security gap that made it easier for burglars to export passwords in the system with an update.
A vulnerability in the open source password manager KeePass caused discussions last week: burglars with user rights in the system were able to change the configuration of KeePass in such a way that a plain text export of the database was created without further feedback (CVE-2023-24055 ). With an updated version, the developer has now eliminated this behavior.
KeePass Update: Real Security Gain?
In version 2.53.1 he simply removed the “Export – No Key Repeat” guideline, which means that users are now always asked about a password database export. They now have to enter their master key, explains the KeePass changelog .
Originally, the developer took the view that “the password database does not need to be protected against an attacker who has such access to the local PC”. The explanation for this is fundamentally sound.
He explained that “it’s not really a security hole in KeePass”. Anyone who has access rights to the configuration file can usually access the entire user profile and thus carry out much more far-reaching attacks. Malicious actors could anchor malware in startup, change desktop shortcuts, modify registry values or change configuration files of other software, such as causing a web browser to open a malicious website automatically. For users of the portable version, attackers with these rights could access the entire program directory and replace the KeePass file with malware.
Attackers with these rights can also attack KeePass itself, without access to the configuration file. For example, if a Trojan is active on the system, it can affect a password manager and other software such as web browsers in many ways. The passwords in the password manager must therefore always be considered compromised in the event of an infection. As KeePass put it, “KeePass cannot magically run securely in an insecure environment.”
Implementation of user requirements
With the option now chosen to remove the policy from the software, the developer has implemented the user’s request, for example in the Sourceforge discussion forum . The initial objection that an attacker with the appropriate rights in the system could re-enable the “Export – No Key Repeat” policy in the configuration file is superfluous as it has been completely removed.
However, the update does not change the fundamental problem that after a Trojan attack, the passwords of those affected must also be considered compromised despite the use of a password manager. These should still be changed immediately after a malware infection.
