12/30/2023 0 Comments Keepass 1 vs 2The problem is the malicious executable was signed by the dev himself. Unless an attacker has stolen the developer’s private code signing keys, no. “It can just replace the keepass executable” File write access for user profile files should never be “game over” for the whole system. We have administrators, UAC, secure desktop, etc… for a reason. User level privilege does not equal System level. This is the dumbest thing said in security. “it is obvious that if a program be malicious in desktop, then that program can do anything in system.” “KeepassXC doesn’t have RAM encryption when the database is open” “Everyone switch to KeepassXC without thinking,” Now You: which password manager do you use? (via Günter Born) Still, triggers make the exporting of entire password databases simple. Attackers who gain access to a system have lots of options at their disposal regarding data theft and other malicious activities. Keeping a computer system secure is of paramount importance. It loads KeePass database files and may be used instead of KeePass. Option 2: Switching to KeePassXC or another fork The password manager version does not support one-time passwords, smart cards, certificates, entering the master password on secure desktop, FIPS mode, custom string fields, the entry history, or recycle bin.Ī full list of differences is available here. It needs to be noted that KeePass 1.x lacks support for several features other than triggers. KeePass 1.x is a limited version of the password manager that does not support triggers. KeePass users have some options at their disposal. Users need to uncheck the box to disable exporting without requiring a master key.Īttackers may turn this off, however, if they have write access to the system. The setting is found under Tools > Options > Policy > Do not require entering current master key before exporting. KeePass users find an option in the settings to require a master key when exporting. Enforced configuration files apply only to Keepass executable files in the same directory. Even if write access is disabled to KeePass files and folders to make sure that an attacker could not modify the enforced configuration file without elevated rights, an attacker might still be able to launch a different instance of KeePass to load the database. The use of the enforced configuration file does not address the underlying issue. The special configuration file has priority over the regular configuration file of the KeePass password manager. A user of the software suggested the feature, but it has been closed.ĭominik Reichl, the developer of the password manager, argues that users can already block triggers through the use of an enforced configuration file. KeePass won't get confirmation options implemented when certain triggers are executed. Systems need to be protected with anti-virus software, a firewall, and users should not run actions on the systems, such as opening unknown e-mail attachments, to keep it secure. KeePass argues that the only way to prevent password theft is to keep the computing environment secure. The attacker could simply replace the KeePass executable with a malicious one, add malicious programs to the system's autostart, modify configuration files for other apps or change Registry information. With write access, an attacker may "perform much more powerful attacks than modifying the configuration file". The main argument leveled against the vulnerability is that if an attacker has write access to the system, that system is compromised and not secure anymore. It is described on the official security issues page of the KeePass website. Passwords are saved in clear text to a file and the attacker would need to obtain that file later on to gain access to all stored passwords. An attacker has to add a trigger to the file that executes when a password database file is open to export the data silently in the background. The vulnerability described requires write access to the KeePass configuration file. The official help file has a section on Triggers in KeePass. Triggers may be used for a variety of tasks, including exporting the active database to a file or URL. They are run automatically when all trigger conditions are fulfilled. Triggers automate workflows in KeePass 2.x. The password manager prompts for the master password whenever data is exported after installation of the update. Update: KeePass 2.53.1 introduced a change that addresses the issue. According to the warning, attackers with write access to the KeePass configuration file may modify it with triggers to export the entire password database in cleartext without user confirmation. The Federal Cyber Emergency Team of Belgium, cert.be, released a warning regarding KeePass. ADVERTISEMENT KeePass XC: fork of KeePass without the issue
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |