Users of the KeePass password manager should exercise extra caution over the next few weeks, due to a newly discovered security bug in the tool.
According to Bleeping Computer, a newly discovered memory dump vulnerability in the KeePass application could help an attacker get the master password in plaintext even if the database is locked or the program is closed. This critical patch will only be available from early June.
Reporting this vulnerability from a security researcher, he published proof of the possibility of successful exploitation of it. An attacker can then perform an in-memory grab to collect the master password in plaintext, even if the KeePass database is closed, the program is locked or even left open. When taken out of memory, the first one or two characters of the password will be missing, but the whole string can be guessed afterward.
This exploit is written for the Windows platform, but Linux and macOS are also said to be vulnerable because the problem exists inside KeePass and not in the operating system. To perform password mining, an attacker would need access to a computer remotely (obtained through malware) or directly on the victim’s machine
According to the security expert, all versions of KeePass 2. x are affected. But KeePass 1. x, KeePassXC, and Strongbox – other password managers compatible with KeePass database files are not affected.
The fix will be in KeePass version 2.54, which could be out in early June
An unstable beta version of KeePass with security mitigation measures is currently available, but a report from Bleeping Computer says the security researcher was no longer able to reproduce the password theft from the vulnerability.
However, even after KeePass is upgraded to a fixed version, the password is still viewable in the program’s memory files. For complete protection, users need to completely wipe the computer by overwriting existing data, then reinstall the new operating system.
Experts advise that a good anti-virus program will minimize the possibility, and users need to change the KeePass master password after the official version is made available