Full Report
Detect and mitigate CVE-2023-32784, a vulnerability in KeePass which allows the extraction of the master password in cleartext from the application's memory.
Analysis Summary
# Vulnerability: KeePass Master Password Extraction via Memory Leak
## CVE Details
- CVE ID: CVE-2023-32784
- CVSS Score: Not explicitly provided (Severity inferred as High due to functional master password leak)
- CWE: CWE-200 (Information Exposure) or similar memory handling flaw related to custom control.
## Affected Systems
- Products: KeePass password manager
- Versions: Versions newer than 2.0 up to (but not including) 2.54.0. (It is noted that 10% of vulnerable instances are in cloud environments according to Wiz data).
- Configurations: Any standard installation where the application is running or has recently run on the local machine.
## Vulnerability Description
The vulnerability resides in the custom password entry box named `SecureTextBoxEx` used by KeePass. This control incorrectly leaves traces of each entered master password character in memory. An attacker who has existing access to the machine can exploit this to recover the KeePass master password (all characters except the first one) in plaintext from memory. This is possible even if the KeePass application/workspace is locked or closed, as remnants may persist in memory pages or crash dumps. Since the first character can be easily enumerated, this flaw is functionally equivalent to a complete master password leak.
## Exploitation
- Status: PoC available (Published May 18, 2023)
- Complexity: Low (Requires local machine access and memory access capabilities)
- Attack Vector: Local
## Impact
- Confidentiality: High (Complete compromise of all credentials stored in the database)
- Integrity: Low (The vulnerability does not directly modify the database or application logic)
- Availability: Low (The vulnerability does not directly impact the availability of the application or system)
## Remediation
### Patches
- Update KeePass to version **2.54.0** or later.
### Workarounds
These steps are noted as technically possible but potentially impractical for most users:
1. Change the KeePass master password regularly ('File' → 'Change Master Key').
2. Delete crash dumps regularly.
3. Delete the hibernation file regularly.
4. Delete the `pagefile`/`swapfile` regularly.
5. Overwrite deleted data on the HDD regularly (to prevent file carving of residual data).
6. Ensure VMs hosting vulnerable KeePass instances are not publicly exposed or otherwise vulnerable to critical network vulnerabilities (general hardening).
## Detection
- Indicators of compromise: Anomalous reading or dump activity on process memory space for the KeePass process, presence of cleartext password fragments in system memory or crash dumps.
- Detection methods and tools: Security tools capable of scanning process memory or inspecting hibernation/page files for sensitive strings (e.g., Wiz platform mentioned using a pre-built query).
## References
- Vendor Advisories: [https://keepass.info/news/n230603_2.54.html](https://keepass.info/news/n230603_2.54.html)
- Proof of Concept: [https://github.com/vdohney/keepass-password-dumper](https://github.com/vdohney/keepass-password-dumper)
- Related Article: [https://www.bleepingcomputer.com/news/security/keepass-exploit-helps-retrieve-cleartext-master-password-fix-is-coming-soon/](https://www.bleepingcomputer.com/news/security/keepass-exploit-helps-retrieve-cleartext-master-password-fix-is-coming-soon/)