[German]Warning to users of KeePass Password Safe for managing passwords and credentials. The Cyber Emergency Response Team from Belgium (CERT.be) published a warning about KeePass on January 27, 2023. In the default setup, write access to the XML configuration file is possible. This leads to r vulnerability CVE-2023-24055, which could open the way for an attacker to obtain the plaintext passwords by adding an export trigger (Unauthenticated RCE, Information disclosure). However, there are lesser known ways to harden the setup somewhat – whether it is useful is another story. Here is an overview of this topic.
Advertising
The CERT.be warning about password theft
I was informed by blog reader Dreisenberger on Twitter about the article Warning – An attacker who has write access to the KEEPASS configuration file can modify it and inject malicious triggers from CERT.be dated January 27, 2023 – thanks for that.
The Keepass Password Manager
KeePass Password Safe is a free password management program developed by Dominik Reichl and available under the terms of the GNU General Public License. KeePass encrypts the entire database, which can also contain usernames and the like. The password manager is probably in use by some users.
Background: The Keepass event system
KeePass has a system for triggering events, conditions and actions. This system can be used to automate workflows. The problem: An attacker could abuse this feature by injecting malicious triggers into the KeePass XML configuration file. To do this, however, an attacker needs write permissions on the Keepass user's system
The profile problem during installation
Keepass has disclosed the information in this KB article and writes: An attacker who has write access to the KeePass configuration file can maliciously modify it (for example, he could insert malicious triggers). However, this is not a real security vulnerability of KeePass. However, this becomes a problem on Windows if users use the default defaults when setting up the program.
Advertising
Then KeePass is installed by the setup program in such a way that the configuration file in the user's application data directory in:
"%APPDATA%\KeePass"
is stored. This folder is located inside the user profile directory ("%USERPROFILE%"). However, this means that any application running in the user account has access to the KeePass configuration file and can also modify it write-wise. Thus, an attacker would only need to run an application in the context of the user account, and gain write access to the configuration file. This means that various attack scenarios are conceivable.
Different attack scenarios
CERT.be now points out in its warning that an attacker who has write access to the KeePass configuration file can modify it and inject malicious triggers, e.g. to fish the plaintext passwords by adding an export trigger. If you go to the Keepass KB post, there are quite a few other problems mentioned. For example, an attacker could inject malware into the startup folder at
"%APPDATA%\Microsoft\Windows\Start Menu\Programme\Startup"
insert. This malware would run automatically after the next user login and could subsequently modify desktop shortcuts (in "%USERPROFILE%\Desktop"), manipulate the user's registry (in HKLU or in the "%USERPROFILE%\NTUSER. DAT" file), or modify configuration files of other applications (e.g., to make a browser automatically open a malicious website), etc.
If the user uses the portable version of KeePass, the configuration file is stored in the application directory (which contains the KeePass.exe file). In this case, write access to the KeePass configuration file is usually equivalent to write access to the application directory. With this capability, an attacker can easily replace the "KeePass.exe" file with malware, for example.
Keepass does write that write access to the KeePass configuration file usually means that an attacker can perform far more powerful attacks than modifying the configuration file (and these attacks can ultimately affect KeePass, regardless of configuration file protection).
Use only in a secure environment
At this point we come to the core problem: Many users use password managers on the one hand to avoid having to remember the many access data, but on the other hand perhaps also to avoid password theft (the access data for username and password are stored encrypted, after all). If the environment in which KeePass runs can be manipulated so that the passwords can be exported in plain text, there is a problem.
Attacks on KeePass and the environment can only be prevented by the user keeping the environment secure. CERT.be and KeePass write that security can be ensured by using antivirus software and a firewall, not opening unknown email attachments, etc.
Since no patch is provided, the CCB (Centre for Cyber security Belgium) suggests implementing a mitigation via the forced configuration feature. To do this, the KeePass Hardening Guide (KeePass Enhanced Security Configuration) on Github lists ways to improve security via a little-known forced configuration file. This feature is primarily intended for network administrators who want to enforce certain settings for users of a KeePass installation, but can also be used by end users to harden their KeePass setup.
Settings in the enforced configuration file KeePass.config.enforced.xml take precedence over settings in global and local configuration files. For example, with the various options for hardening a KeePass environment documented in the GitHub repository Keepass-Enhanced-Security-Configuration, it is possible to completely disable the password export trigger function (XPath Configuration/Application/TriggerSystem). Please note that this hardening is only useful if this file cannot be modified by the end user.
However, this is all an elaborate story and each step wants to be considered (it has to be checked if the hardening is really sufficient). CERT.be then also writes: Organizations might also consider switching to an alternative password manager with support for KeePass password vaults.
Addendum: The KeePass developers disputes the CERT.be warning – Bleeping Computer has addressed this here.
