The issue is that KeePass has this weird feature that queues up a cleartext password export for the next time you authenticate.
That feature is itself configured via a plain-text config file, writable in the user's security context.
An attacker who has write access to the KeePass configuration file KeePass.
Xml can modify it and inject malicious triggers-e.g., to obtain the cleartext passwords by adding an export trigger.
Victim will open KeePass as normal [and] the trigger will executed in background, exfiltrating the credentials [in] cleartext.
The new vulnerability enables threat actors with write access to a target's system to alter the KeePass XML configuration file and inject a malicious trigger that would export the database, including all usernames and passwords in cleartext.
This export process launches in the background without the user being notified or KeePass requesting the master password to be entered as confirmation before exporting, allowing the threat actor to quietly gain access to all of the stored passwords.
Since CVE-2023-24055 was assigned, a proof-of-concept exploit has already been shared online, likely making it easier for malware developers to upgrade information stealers with the ability to dump and steal the contents of KeePass databases.
The KeePass application security layer seems too light and the risk is very important.
In a sensitive application, the password is requested.
My password DB, and especially the keyfile and/or the process that decrypts the secrets in memory, are the most important things on my device.
All they have to do is authenticate the config file or at least some parts of it.
If they refuse to fix their side, KeePass will never be hardened.
BitWarden does not store configuration in an unecrypted local file.
This means there is no file that can be secretly updated with new configuration options.
Bitwarden doesn't have a way to automatically export the database to a plain text file.
All exports require going through the UI. What a mess.
That feature is extremely insecure and makes no sense for a password manager.
It ought not be possible to trigger anything in an unencrypted document or install/run anything over plaintext data without first providing the master passphrase for that password document.
There shouldn't be any way to export plaintext data without explicit user feedback and confirmation in the first place.
This Cyber News was published on securityboulevard.com. Publication date: Thu, 28 Dec 2023 13:43:05 +0000