KeePass disputes report of flaw that could exfiltrate a database

Recent security incidents around password managers such as Bitwarden and 1Password, and a posting last week by independent security researcher Alex Hernandez that the open-source KeePass password manager had a flaw, have sparked discussion in the industry around password managers. It was reported last week that Bitwarden and 1Password were targeted in Google ads phishing campaigns that aimed to steal user password vault credentials. A security breach at LastPass that first came out late last year and a credential stuffing attack at Norton reported in mid-January have illustrated that master passwords used to secure vaults in cloud-based password managers are a potential security risk. KeePass has been viewed in the industry as less user-friendly than the cloud-based options, but technical users depend on its security because it encrypts all passwords - and the entire database - and is stored locally on a personal computer versus a password vault that's stored in the cloud. According to Hernandez's post, an attacker who has write access to a KeePass configuration file can modify it and inject malicious triggers to obtain the cleartext passwords by adding an export trigger. The victim can then open the KeePass normally, saving changes, for example, and the trigger will execute on background exfiltrating the credentials and ultimately the full database to the attacker's web server. Following Hernandez's post, NIST issued CVE-2023-24055 and the matter is under review. Dominik Reichl, who developed KeePass and issued its first release in November 2003, said in response that having write access to the KeePass configuration file typically implies that an attacker can actually perform much more powerful attacks than modifying the configuration file. Reichl pointed out that these attacks in the end can also affect KeePass, independent of a configuration file protection. "These attacks can only be prevented by keeping the environment secure by using an anti-virus software, a firewall, or not opening unknown email attachments," said Reichl. "KeePass cannot magically run securely in an insecure environment." Jack Poller, a senior analyst at Tech Target's Enterprise Strategy Group, said the fix proposed by a commenter in a SourceForge discussion - asking the user to authenticate before decrypting and exporting the password vault - helps increase the security of KeePass in an insecure environment. Poller said it balances security, usability, and difficulty of implementation. "As best as I can tell, Dominick believes that if an attacker has access to the user's PC, the attacker can get access to anything and everything, and thus Dominick should not take any extra steps to prevent the attacker from decrypting the password database," said Poller. "Specifically, Dominick says 'KeePass cannot magically run securely in an insecure environment' - but that's the opposite of the new paradigm being adopted for cybersecurity strategy: zero trust, where we trust no one, and require continuous authentication and authorization for every transaction. This enables applications to provide the best security possible in a potentially insecure environment. I am surprised and flummoxed by Dominick's continuing reluctance to make this change." Poller added that for the LastPass breach in November, while attackers could access the user's password database, the attackers didn't access the user's encryption keys and thus could not decrypt the database. Poller said LastPass only encrypted passwords: website URLs, IP addresses and other data was unencrypted, giving the attackers a tremendous amount of information to build user profiles and start credential stuffing and social engineering attacks, not to mention blackmail material. "As we suffer more breaches, we're coming to learn that almost all information is sensitive, and should be encrypted to prevent unauthorized access, especially when exfiltrated" said Poller. "Attackers flock to the most popular vaults, which will have the biggest payday for their efforts to break in. So I'm not surprised that attackers are using sophisticated attacks such as Google ad phishing and typosquatting campaigns to target users of password managers."

This Cyber News was published on packetstormsecurity.com. Publication date: Wed, 01 Feb 2023 19:26:55 +0000


Cyber News related to KeePass disputes report of flaw that could exfiltrate a database

KeePass Vulnerability Allowing Stealthy Password Theft Disputed - The development team behind the open-source password management software KeePass is disputing what is described as a newly found vulnerability that allows attackers to stealthily export the entire database in plain text. KeePass is a very popular ...
1 year ago Bleepingcomputer.com
KeePass disputes report of flaw that could exfiltrate a database - Recent security incidents around password managers such as Bitwarden and 1Password, and a posting last week by independent security researcher Alex Hernandez that the open-source KeePass password manager had a flaw, have sparked discussion in the ...
1 year ago Packetstormsecurity.com
Best of 2023: Another Password Manager Leak Bug: But KeePass Denies CVE - The issue is that KeePass has this weird feature that queues up a cleartext password export for the next time you authenticate. That feature is itself configured via a plain-text config file, writable in the user's security context. An attacker who ...
10 months ago Securityboulevard.com
Fake KeePass site uses Google Ads and Punycode to push malware - A Google Ads campaign was found pushing a fake KeePass download site that used Punycode to appear as the official domain of the KeePass password manager to distribute malware. Google has been battling with ongoing malvertising campaigns that allow ...
11 months ago Bleepingcomputer.com
Major Database Security Threats and How to Prevent Them | Tripwire - Cybercriminals can also attempt to seize control of the organization’s data management system, altering privileges so they can gain database access at any time. Data loss prevention (DLP) solutions can do a lot to prevent occurrences like ...
1 month ago Tripwire.com
Password-stealing "vulnerability" reported in KeyPass - It's been a newsworthy few weeks for password managers - those handy utilities that help you come up with a different password for every website you use, and then to keep track of them all. At the end of 2022, it was the turn of LastPass to be all ...
1 year ago Nakedsecurity.sophos.com
Database Security - In today's rapidly evolving digital landscape, marked by the ascendancy of Artificial Intelligence and the ubiquity of cloud computing, the importance of database security has never been more pronounced. Effective database security strategies not ...
9 months ago Feeds.dzone.com
Top 7 Database Security Best Practices - Whether you're managing sensitive customer information or intricate analytics, database security should be at the top of your priority list. This article dives deep into the top 7 database security best practices that will help you fortify your ...
5 months ago Securityboulevard.com
What's new in the MSRC Report Abuse Portal and API - The Microsoft Security Response Center has always been at the forefront of addressing cyber threats, privacy issues, and abuse arising from Microsoft Online Services. Building on our commitment, we have introduced several key updates to the Report ...
4 months ago Msrc.microsoft.com
Critical Apache Log4j2 flaw still threatens global finance - Critical Apache Log4j2 flaw still threatens global finance. CISA adds Apache Flink flaw to its Known Exploited Vulnerabilities catalog. CISA adds GitLab flaw to its Known Exploited Vulnerabilities catalog. Russia-linked APT28 used post-compromise ...
5 months ago Securityaffairs.com
Critical unauthenticated RCE flaw in OpenSSH server - MUST READ. Critical unauthenticated remote code execution flaw in OpenSSH server. Expert released PoC exploit code for Veeam Backup Enterprise Manager flaw CVE-2024-29849. CISA adds Oracle WebLogic Server flaw to its Known Exploited Vulnerabilities ...
4 months ago Securityaffairs.com
10 of the biggest zero-day attacks of 2023 - Here are 10 of the biggest zero-day attacks of 2023 in chronological order. Zero-day attacks started strong in 2023 with CVE-2023-0669, a pre-authentication command injection vulnerability in Fortra's GoAnywhere managed file transfer product. ...
10 months ago Techtarget.com
Juniper Networks fixed a critical authentication bypass flaw in some of its routers - MUST READ. Threat actors actively exploit D-Link DIR-859 router flaw CVE-2024-0769. CISA adds Oracle WebLogic Server flaw to its Known Exploited Vulnerabilities catalog. Russia-linked APT28 used post-compromise tool GooseEgg to exploit CVE-2022-38028 ...
4 months ago Securityaffairs.com
Google Cloud Report Spotlights 2024 Cybersecurity Challenges - As the New Year dawns, a cybersecurity report from Google Cloud suggests that while there are many challenges ahead, it will also become simpler for cybersecurity teams to leverage artificial intelligence to better defend IT environments. John ...
10 months ago Securityboulevard.com
Patch Now: Attackers Pummel Critical, Easy-to-Exploit OwnCloud Flaw - Hackers are actively exploiting a critical flaw in the open source ownCloud platform that allows access to access admin passwords, mail server credentials, and license keys, exposing their enterprise to data breaches or other types of malicious ...
11 months ago Darkreading.com
High-severity flaw affects Cisco Firepower Management Center - CISA adds GitLab flaw to its Known Exploited Vulnerabilities catalog. CISA adds Cisco ASA and FTD and CrushFTP VFS flaws to its Known Exploited Vulnerabilities catalog. Critical Fortinet's FortiClient EMS flaw actively exploited in the wild. Hackers ...
5 months ago Securityaffairs.com
High-severity flaw affects Cisco Firepower Management Center - CISA adds GitLab flaw to its Known Exploited Vulnerabilities catalog. CISA adds Cisco ASA and FTD and CrushFTP VFS flaws to its Known Exploited Vulnerabilities catalog. Critical Fortinet's FortiClient EMS flaw actively exploited in the wild. Hackers ...
5 months ago Securityaffairs.com
Microsoft SFI progress report elicits cautious optimism | TechTarget - "After a year, it looks like Microsoft has made some smart and substantive initial progress in elevating security across the whole organization: investment in security-focused head count, inclusion of security into performance reports across the ...
1 month ago Techtarget.com
Threat actors actively exploit D-Link DIR-859 router flaw - MUST READ. Threat actors actively exploit D-Link DIR-859 router flaw CVE-2024-0769. Expert released PoC exploit code for Veeam Backup Enterprise Manager flaw CVE-2024-29849. CISA adds D-Link DIR router flaws to its Known Exploited Vulnerabilities ...
4 months ago Securityaffairs.com
Threat actors actively exploit D-Link DIR-859 router flaw - MUST READ. Threat actors actively exploit D-Link DIR-859 router flaw CVE-2024-0769. Expert released PoC exploit code for Veeam Backup Enterprise Manager flaw CVE-2024-29849. CISA adds D-Link DIR router flaws to its Known Exploited Vulnerabilities ...
4 months ago Securityaffairs.com
5 Lessons Learned from Windows Remote Desktop Honeypot Report - Recently, the SANS Institute released their annual Windows Remote Desktop Honeypot Report, providing comprehensive insights into the nature of malicious activity in a Windows environment. In order to understand how your own Windows network can be ...
1 year ago Bleepingcomputer.com
Third Of European Businesses Have Adopted AI, AWS - AWS finds AI already adopted at sizeable number of European businesses, resulting in increased revenues, productivity. An insight into the adoption rate of artificial intelligence within the business community has been offered in a new report from ...
9 months ago Silicon.co.uk
Wordfence Intelligence Weekly WordPress Vulnerability Report - Last week, there were 95 vulnerabilities disclosed in 65 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 33 Vulnerability Researchers that contributed to WordPress ...
8 months ago Wordfence.com
Wordfence Intelligence Weekly WordPress Vulnerability Report - Wordfence just launched its bug bounty program. Last week, there were 109 vulnerabilities disclosed in 98 WordPress Plugins and 10 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 33 ...
10 months ago Wordfence.com
Wordfence Intelligence Weekly WordPress Vulnerability Report - For the first 6 months, all awarded bounties receive a 10% bonus. Last week, there were 16 vulnerabilities disclosed in 16 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there ...
10 months ago Wordfence.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)