beyond the headlines
February 15, 2023by Ilana Touboul, Ebin Sandler

Newly discovered KeePass flaw enables theft of plaintext passwords

While KeePass did not provide a foolproof fix, it suggested a workaround to counter malicious triggers implemented by threat actors trying to steal data.

Read: Reshaping the Threat Landscape in 2023: Cybersixgill Announces Top Trends in Cybersecurity

The Headline

The creators of the open-source password management software KeePass are addressing a recently discovered vulnerability (CVE-2023-24055), enabling unauthorized actors to export complete user databases in plaintext. While neither the National Vulnerability Database (NVD) nor the Common Vulnerability Scoring System (CVSS) had assigned the vulnerability a score as of January 31, 2023, Cybersixgill's CVEs Module assigned the flaw a critical score of 9.85. This score could increase further as underground discussions about the threat flare up.

Successful exploitation of the vulnerability may allow malicious actors with write permissions to manipulate the KeePass Extensible Markup Language (XML) configuration file and introduce a malicious trigger for exporting the database storing all usernames and passwords in clear text. When victims launch KeePass and enter master passwords to open and decrypt databases, the action triggers the aforementioned export rule, saving all database contents to files that malicious actors could subsequently exfiltrate to an attacker-controlled system.

This sensitive data could subsequently be misused for network intrusions and sophisticated attacks. A Proof-of-Concept (PoC) exploit for CVE-2023-24055 was already released online, increasing the likelihood that malware developers will incorporate into stealer malware the capacity to dump and steal KeePass database contents on infected devices.

After the flaw was reported and assigned a CVE identification number, users requested that KeePass developers introduce a confirmation prompt before silent database exports, such as those triggered by maliciously altered configuration files. Other proposed alternatives include (1) a KeePass version that excludes the export feature altogether; and (2) a configurable flag that disables exporting within the KeePass database, which users with master passwords could only alter.

While the Computer Emergency Response Team (CERT) teams of both the Netherlands and Belgium issued CVE-2023-24055 security advisories, KeePass denied that the issue constitutes an actual vulnerability, arguing that attackers with write access to a target device could obtain KeePass database information via alternative methods, without elaborating on them. The company further claimed that threat actors could replace the KeePass executable with malware if the user runs the portable version.

According to KeePass developers, the presence of write access to the KeePass configuration file suggests that attackers could launch attacks with a far greater impact than simply altering configuration files. These attacks could have a devastating effect on KeePass, regardless of the configuration file’s protection. According to KeePass, the only way to prevent such attacks is to maintain a secure environment with anti-virus software, firewalls, and policies that prevent responding to suspicious emails, including clicking on links or downloading attachments.

Despite KeePass’ decision not to specifically address the export-to-clear-text vulnerability, users can still secure databases by logging in as system administrators and establishing enforced configuration files. Such files would prevail over global and local configuration files, including new triggers added by malicious actors, thereby mitigating the CVE-2023-24055 vulnerability.

Diving Deeper

The CVE-2023-24055 KeePass vulnerability has already generated significant buzz on the underground with a PoC exploit circulating that threat actors could replicate in real attacks. In addition, Cybersixgill’s CVEs Module compiled features related to the vulnerability that provides insight into its evolution over time.

Cybersixgill collected the PoC exploit for CVE-2023-24055 shared on several GitHub repositories, including one maintained by a penetration tester and security researcher that was shared on a Russian cybercrime forum. In the GitHub repository, the PoC and comprehensive details for exploiting the CVE-2023-24055 flaw are provided. The repository also contained the code referring to a malicious trigger that could be injected into the KeePass XML configuration file. The GitHub repository also detailed actions for (1) the trigger to export the KeePass database in KeePass XML format, including all the credentials in clear text, and (2) the exfiltration of XML data to an attacker web server using Powershell,  in addition to the related Powershell command.

While the GitHub repository provided screenshots of the aforementioned steps for “educational purposes,” cybercriminals could use these instructions to replicate the PoC in malicious operations. The odds of this occurring are even greater because a link to the PoC was posted in a major cybercriminal forum.

Figure 1: PoC for CVE-2023-24055 from a GitHub linked to a cybercriminal forum

The following screenshot displays the CVE-2023-24055 vulnerability scorecard on Cybersixgill’s CVEs Module. This table includes Cybersixgill’s critical score for the flaw (9.85), which is based on discussions of the vulnerability on the surface and underground sources that Cybersixgill collects. Cybersixgill’s CVEs Module score also reflects the release of related PoC exploits.

Figure 2: The CVE-2023-24055 vulnerability scorecard on the Cybersixgill CVEs Module

The score assigned by Cybersixgill is dynamic and represents the current probability that malicious actors will exploit the vulnerability. The score will likely increase as discussions of CVE-2023-24055 increase on the underground. Cybersixgill Investigative Portal users tracking this vulnerability could see its score change in real-time as CVE-2023-24055 garnered attention, driving more discussions and triggering a swift escalation in risk assessment.

Takeaways

While KeePass developers have not recognized CVE-2023-24055 as an actual vulnerability, this flaw could enable malicious actors to access plaintext passwords, which could be reused to infiltrate corporate networks. Acquiring these passwords would eliminate the need for phishing schemes and other initial access strategies. Since KeePass databases store passwords for multiple services, threat actors could log into related portals to perform malicious operations, such as data theft and more advanced cyber attacks.

With a PoC in the wild, cybercriminals could quickly replicate the steps required to exploit the flaw. While KeePass developers did not provide a foolproof solution to address the vulnerability, they indicated that logging into databases as a system administrator and establishing an enforced configuration file may be a workaround to mitigate the risks.

Cybersixgill automatically aggregates data leaks and alerts customers in real time.

Learn More

You may also like

February 08, 2023

Honeypots record millions of data breach attempts in a one-month period

Read more

November 02, 2022

Hacker home run: This is how people are buying stolen sports streaming passwords on the underground

Read more