[German]The developers of the password safe KeePass have improved the new version KeePass 2.53.1 with regard to the vulnerability CVE-2023-24055. Specifically, the export function for passwords has been secured. This was preceded by a warning from the Cyber Emergency Response Team from Belgium (CERT.be) on January 27, 2023, which pointed out a vulnerability. Passwords could potentially be easily exported by a local attacker.
KeePass Password Safe is a free password management program developed by Dominik Reichl and available under the terms of the GNU General Public License. KeePass encrypts the entire database, which can also contain usernames and the like. The password manager is probably in use by some users.
The CERT.be warning about password theft
As of January 27, 2023, the Cyber Emergency Response Team from Belgium (CERT.be) warned of a vulnerability (CVE-2023-24055) in KeePass. In the default setup, write access to the XML configuration file was possible. This leads to the vulnerability CVE-2023-24055, which could open the way for an attacker to obtain the plaintext passwords by adding an export trigger (Unauthenticated RCE, Information disclosure).
I had reported here on the blog in the post CERT Warning: Default KeePass Setup Allows Password Theft (CVE-2023-24055). There was then a lot of discussion regarding the proposed hardening methods. The bottom line is that if there is a local attacker on the system, using a password manager is critical. This was also the reasoning of the KeePass development team.
KeePass ecures export function
German blog reader Stefan K. already pointed out to me on February 8, 2023 that the KeePass developers had apparently made improvements (thanks for that). In KeePass version 2.53.1 the export without entering the master password was completely removed.
The release notes state: The "Export – No Key Repeat" application policy flag has been removed; KeePass now always asks for the current master key when it tries to export data. The new version of KeePass contains also a couple of other fixes, which can be read in the release notes.
Cookies helps to fund this blog: Cookie settings