An attacker who has write access to the KeePass configuration file KeePass.config.xml … can modify it and inject malicious triggers—e.g., to obtain the cleartext passwords by adding an export trigger.
…
Victim will open KeePass as normal [and] the trigger will executed in background, exfiltrating the credentials [in] cleartext.

“KeePass cannot magically run securely”
KeePass is a very popular open-source password manager that allows you to manage your passwords using a locally stored database, rather than a cloud-hosted one, such as LastPass or Bitwarden. … The new vulnerability … enables threat actors with write access to a target’s system to alter the KeePass XML configuration file and inject a malicious trigger that would export the database, including all usernames and passwords in cleartext.
…
This export process launches in the background without the user being notified or KeePass requesting the master password to be entered as confirmation before exporting, allowing the threat actor to quietly gain access to all of the stored passwords. … Since CVE-2023-24055 was assigned, a proof-of-concept exploit has already been shared online, likely making it easier for malware developers to upgrade information stealers with the ability to dump and steal the contents of KeePass databases.
…
[But] the KeePass development team is arguing that this shouldn’t be classified as a vulnerability: … ”These attacks can only be prevented by keeping the environment secure. … KeePass cannot magically run securely in an insecure environment.”

“I am surprised and flummoxed”
As best as I can tell, Dominick [the KeePass dev] believes that if an attacker has access to the user’s PC [then he] should not take any extra steps to prevent the attacker from decrypting the password database. … But that’s the opposite of the new paradigm being adopted for cybersecurity strategy: Zero trust—where we trust no one, and require continuous authentication and authorization for every transaction.
…
I am surprised and flummoxed by Dominick’s continuing reluctance to make this change. … As we suffer more breaches, we’re coming to learn that almost all information is sensitive, and should be encrypted to prevent unauthorized access, especially when exfiltrated.

“A chain is as strong as its weakest link”
If an attacker modifies the xml config file (adding an export trigger on ‘Opened database file’) he will be able to export all the passwords, without us knowing it. Shouldn’t the user be asked to confirm before exporting? … If a password manager is as secure as a plain text configuration file, why should I use it instead of a spreadsheet to store my passwords?
…
Why do you use KeePass? … I don’t use it so that an attacker can easily access all my passwords, at once, using notepad. … Someone can ask to export all your passwords in clear text … without notification or confirmation. … And how many know that?
…
Having multiple layers of security is better. The KeePass application security layer seems too light and the risk is very important. … In a sensitive application, the password is requested. … A chain is as strong as its weakest link.

“The most important things on my device”
I’d recommend going (and I do) one step further: Lock down the KeePass config file [and] keyfile … to admins only and set the .exe to launch as administrator. The .exe is signed, so at least you have some guarantee it hasn’t been modified. Plus, the UAC prompt doesn’t look scary like it does for unsigned exes.
…
Executables running as administrator have all sorts of protections from other processes in user-land, and most importantly, the keyfile (locked to R/W only by admin) can’t be … exfiltrated by a bog-standard malware process accidentally launched by clicking the wrong thing. It never made sense to me why this isn’t [the default].
…
My password DB, and especially the keyfile and/or the process that decrypts the secrets in memory, are the most important things on my device. Those belong at the highest level of security an OS can offer, not running at the same level as some **** I downloaded from the internet.

“Unsafe defaults”
Unsafe defaults like “we run all plugins, unless someone goes through all the right motions of closing that door in all the right config.xml, config.enforced.xml” … are just terrible. Terrible for any software, and worse for a piece of software that has no purpose at all besides security. What if there’s a typo in your lockdown incantations?
…
That CVE [is] a warning: Avoid security related software from people who enjoy keeping a security edge over the unwashed masses who aren’t in the know, who don’t get a kick out of locking down. Because that’s why they keep the unsafe defaults, they keep them because they enjoy going the extra mile for their own safety.

This isn’t hard to fix. … All they have to do is authenticate the config file or at least some parts of it.
…
Their excuse for not doing this … ”There is no point because the OS is weak already,” doesn’t seem like a good reason not to do it. The OS may be hardened. … If they refuse to fix their side, KeePass will never be hardened.

Bitwarden doesn’t have this particular issue:
1. BitWarden does not store configuration in an unecrypted local file. … Nor, on Windows, in the Registry. This means there is no file that can be secretly updated with new configuration options.
2. Bitwarden doesn’t have a way to automatically export the database to a plain text file. All exports require going through the UI.

That feature is extremely insecure and makes no sense for a password manager. It ought not be possible to trigger anything in an unencrypted document or install/run anything over plaintext data without first providing the master passphrase for that password document. That should be obvious.
…
You have to think about security as being layered. … There shouldn’t be any way to export plaintext data without explicit user feedback and confirmation in the first place. That this is triggered by an unprotected global configuration file is just the icing on the cake.

Saying, “Oh the PC is compromised, all is lost,” is a very nihilistic way of handling this issue. … If this argument sticks, why not just use an Excel file? The developers of KeePass are very emotionally defensive and dismissive on this. … A fix is quite simple.

Such a trash response from a provider of software that’s supposed to protect sensitive data.

Recent Articles By Author