The main argument leveled against the vulnerability is that if an attacker has write access to the system, that system is compromised and not secure anymore. It is described on the official security issues page of the KeePass website. Passwords are saved in clear text to a file and the attacker would need to obtain that file later on to gain access to all stored passwords. An attacker has to add a trigger to the file that executes when a password database file is open to export the data silently in the background. The vulnerability described requires write access to the KeePass configuration file. The official help file has a section on Triggers in KeePass. Triggers may be used for a variety of tasks, including exporting the active database to a file or URL. They are run automatically when all trigger conditions are fulfilled. Triggers automate workflows in KeePass 2.x. The password manager prompts for the master password whenever data is exported after installation of the update. Update: KeePass 2.53.1 introduced a change that addresses the issue. According to the warning, attackers with write access to the KeePass configuration file may modify it with triggers to export the entire password database in cleartext without user confirmation. The Federal Cyber Emergency Team of Belgium, cert.be, released a warning regarding KeePass.
ADVERTISEMENT KeePass XC: fork of KeePass without the issue
0 kommentar(er)
