In the past two weeks, there have been reports of a “master password crack” in KeePass, a popular open-source password manager. This bug was given an official US government identifier (CVE-2023-32784) and caused concern because the master password is the key to a user’s digital castle. However, an attacker who wants to exploit this bug would have to have already infected the user’s computer with malware and would have access to the user’s keystrokes and running programs, making it an easily-managed risk until the creator of KeePass releases an update, which is expected at the beginning of June 2023. The bug is a result of confidential data being left in memory after use, and KeePass’s failure to properly purge all traces of the data. While malware already on a user’s system could recover almost any typed-in password, the time exposed to danger would typically be limited to the brief period of typing, not extended to many minutes, hours, or days afterwards.
The vulnerability means that a user’s KeePass master password could be recoverable from system data even after the program has exited because information about the password can get left behind in system swap or sleep files where allocated system memory may end up saved for later. On a Windows computer where BitLocker isn’t used to encrypt the hard disk when the system is turned off, this gives a thief who steals the user’s laptop a chance of booting up from a USB or CD drive and recovering the master password. A long-term password leak in memory also means that the password could be recovered from a memory dump of the KeePass program even if the dump was grabbed long after the user had typed the password in and long after KeePass had no more need to keep it around.
Programmers need to ensure that all traces of confidential data are purged from memory once they are done with it. Code approved by a security-conscious reviewer with a comment such as “appears to clean up correctly after itself” might not clean up fully and could leave potential data leakage that is not obvious from a direct study of the code. KeePass users who use full disk encryption with a strong password and whose system is free from malware should be safe from password theft.
A high-level look at how secret data can get left behind in memory in ways that aren’t directly obvious from the code shows that programmers need to be careful. In a simulated password storage program, secret data was left in memory after use, which could lead to dangerous data leakage in real life. A user’s time exposed to danger should be limited to the brief period of typing, not extended to many minutes, hours, or days afterward. While malware already on a user’s system could recover almost any typed-in password, that recovery should be limited to the brief period of typing.
To protect against the bug, KeePass users should use full disk encryption with a strong password and ensure their system is free from malware. Programmers should be careful to eliminate all traces of confidential data from memory once they are done with it. Users should be aware that their time exposed to danger should be limited to the brief period of typing, and they should assume that malware already on their system could recover almost any typed-in password via real-time snooping techniques. The creator of KeePass is expected to release an update at the beginning of June 2023.
