Pleasant Password Server Products Protect against CVE-2023-24055
Regarding: CVE-2023-24055
Summary:
Password Server can currently stop this unintended behavior. Password Server detects and records every password request individually with event logs, storing them securely in the audit records. In version 7.11.41, KeePass triggers are blocked and restricted.
KeePass authors are perhaps correct to dispute this vulnerability, as this requires a high level of folder access, and by itself, KeePass is not an Endpoint Protection application.
However, Password Server mitigates these concerns with auditing and the ability to store this Enforced configuration file securely in the database, and to even block access to KeePass altogether as necessary, while continuing to access through the Web application. Read further for more information.
"KeePass for Password Server" provides:
- Enforced Configuration files using strong Enterprise Security
- KeePass config files can be locked down
- Export can be disabled, blocking user export of passwords/data
Password Server can further minimize the risk:
- Audit events can be centralized and forwarded, and
- Alerts can be setup (example in 3rd-party SIEM application), to notify when many passwords are retrieved at once
- Version 7.11.41:
- Blocks and restricts KeePass triggers by default, until selectively re-enabled by admin
- Optionally block access to the API & to KeePass
- Notification Triggers from Password Server can notify of password retrieval events
See mitigation section below for more information.
We are now providing an additional hot-fix, to provide more data security/safeguards.
Update Pleasant Password Software
However, recent releases of Password Server include other important Pleasant Password Server Security Updates that require updating for other unrelated issues.
Download unrelated security patches (Stable / Latest):
Risks
IT Security personnel recognize the limited nature/scope of this concern and should manage accordingly.
For users, there may be concerns with individual KeePass standard files, and users could be notified of mitigation steps below.
Although this vulnerability may look surprising or concerning, each password access is audit logged, can be detected, and can be mitigated with Password Server's security features.
- it is a lower risk - lower probability vulnerability for most individuals and organizations
- it requires significant access to take advantage of it
The amount of access required to take advantage is a limited scope. It requires all of these to be met:
- having a malicious actor with intent and specific knowledge to take advantage,
- having access to breached workstation,
- having knowledge of the KeePass location on device,
- having access to secure user accounts and file folders: Administrative access or access to the User Profile file folder,
- having the user provide valid authentication into KeePass (in this case into Password Server),
- having a method of extracting the exported file after the fact
This is limited to the use of the KeePass desktop client and does not include/affect the web application or other client apps.
However, there is now much attention on it and a Proof-Of-Concept provided.
Further Mitigation in Your Systems
We recommend taking the steps to mitigate, especially when user password exports are a risk. This functionality will be blocked by default in the version expected shortly.
Additionally, at this same time, it provides opportunity for security administrators to re-examine and to harden their server environments, applications, workstations, servers, and networks accordingly.
Password Server Summary:
- Audit Events detect and record each separate password retrieval
- Syslogs can be forwarded to a central location
- Alerts can be setup (in a SIEM application), to notify when many passwords are retrieved at one time.
- Enforced Config should be enabled to block writing to the config file
- Export features should be disabled, for user accounts where this feature is not desired
- Version 7.11.41:
- Blocks and restricts all triggers by default, until selectively enabled by admin
- Block access to the API & to KeePass
- Notification Triggers can notify of these events
Since Enforcing the KeePass settings may not be desired in all environments, these are optional for administrators to set.
In the future, we will consider better highlighting this feature at time of setup, and also considering an easier default method of enabling.
Individual KeePass (standard) - Mitigations:
If users have their own KeePass standard files.
To review the suggestions for the standard KeePass:
- https://keepass.info/help/kb/sec_issues.html#cfgw
- https://keepass.info/help/v2/triggers.html
- https://keepass.info/help/kb/config_enf.html
- https://keepass.info/help/base/configuration.html
Recommended options for individuals with standard KeePass files:
- Update to version 2.53.1
- Disable the KeePass trigger system option
- Turn off: "Do not require entering current master key before exporting" under Tools > Options > Policy.
- Optionally: To enforce policies and other settings, use a global lockdown in the install directory with an enforced configuration file: KeePass.config.enforced.xml file
- Optionally: disable export
Coming Security Features & Fixes:
Version 7.11.41 - release:
- Blocks all KeePass triggers (restricted by default, optionally re-enable)
- Option to block KeePass access / API access
- In the future, ability to selectively allow/block client types/API access.
Version 8.0 - major version (coming soon!):
- Additional Zero-Knowledge controls, another optional layer of encryption - client-side E2EE encryption
- File Integrity Monitoring (FIM) module, for server files. We will consider bringing FIM monitoring to client workstations.
References:
Sophos Security:
CVE Database: