Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ericgeater
Community Champion
‎05-19-2023 04:47 PM
‎05-19-2023 04:47 PM

KeePass vuln revealed

Since we were just talking about password managers, this was a timely find.

 

KeePass Vulnerability Imperils Master Passwords (darkreading.com)

 

Keep your PC safe for a little while as the patch is written.

-----------
A claim is as good as its veracity.
Reply
0 Kudos
1 Reply
denbesten
Community Champion
‎05-20-2023 12:33 AM
‎05-20-2023 12:33 AM

You beat me to it :-).  And echoing Eric's advise, "Lets be careful out there" [cite - Sgt. Esterhaus].

 

Mitigation is to upgrade to current (2.54), which was released today.

 

The relevant CVE does not yet have a score, but the brief description ("recover the cleartext master password from a memory dump") tells us it will have "attack vector: local" "Privileges required: low", "Confidentiality Impact: high". Based on this, if you are the slightest bit concerned of compromise, after upgrading to current, also change your master password, then sync everywhere so all copies of the old vault are overwritten.

 

And to protect against loss, make a "portable apps" copy of the application and your vault, write your master password on a slip of paper and place both into your physical safe or a safe deposit box. Then, once in a blue moon, take it out and re-sync it.  Remember, an old password list is better than no password list.

Reply
0 Kudos