Pleasant Password Server Products Protect the Master Password against CVE-2023-32784
Regarding: CVE-2023-32784
Summary:
Pleasant Password Server already provides by default additional safeguard for the master password with the KeePass for Pleasant login so that master passwords in particular would not affected by this security concern.
Additional mitigation of this concern is provided in version 8.0.6, which includes the specific KeePass security patch changes found in version 2.54. (further mitigation details included in section below)
In comparison testing with the KeePass for Pleasant Password Server version there is heightened security protection for password passwords, above the standard KeePass.
Note that for this concern to be taken advantage of, it would require previously breached access to the machine (and thereby also have access to memory/files), and so is difficult with low likelihood risk.
The scope of the concern is therefore limited or eliminated completely with Pleasant Password safeguards. (see below for more details).
MITIGATIONS:
- Install 8.0.6
- Alternatively:
- Block KeePass access - Navigate to General Settings for this option:
- Version 8.0.6: "Block Client Apps"
- Version 7.11.44: Toggle "Enable application API" setting to OFF
- Or, Enable Zero-Knowledge Encryption on entries (v8.x with Ent+SSO). This currently also blocks KeePass access to the entry.
- Block KeePass access - Navigate to General Settings for this option:
KEEPASS SECURITY:
- KeePass has a excellent security history, and has been shown to be more thorough in its memory handling and scrubbing than the other popular password managers, who in comparison have been shown to have memory security problems.
- EU has had a Bug Bounty program for KeePass, and security-wise the app reputation has been quite stellar.
- KeePass remains a recommendation, e.g. even by national Cyber office(s), etc.
- KeePass for Pleasant offers an additional layers of security protections
LIMITED SCOPE/IMPACT:
- This attack requires access to the machine (and thereby would have memory / system access anyway and so could do whatever they wanted), and so is a difficult hack to exploit with low likelihood,
- In version 8, Zero-Knowledge encryption Entries are not affected,
- KeePass for Pleasant login passwords are not affected,
- KeePass for Pleasant app can be blocked entirely,
- KeePass for Pleasant does not bring all entry passwords into memory, only the user requested ones,
- KeePass has demonstrated a solution already, which will be released. Once this is patched in KeePass for Pleasant, this becomes a temporary problem,
- Recent Pleasant Password Server version will now require KeePass instances to be updated
FIX RELEASE:
- version 8.0.6
- includes the specific security patch resolution provided by KeePass
DISCUSSION OF ATTACK VECTORS:
- Like for any application, KeePass is vulnerable if a hacker/malware has open access to the machine, and thereby also they have access to the memory and/or system files. Then theoretically do whatever they wish.
- For this reason, some vendors may choose to restrict access to KeePass / API, and only use the Web application. This is available in the most recent version(s) of the application.
SAFE DISCLOSURE WAS NOT DONE BY THE SECURITY RESEARCHER:
- Safe disclosure of a vulnerability takes a few minutes of effort, to lookup contacts and reach out. This typically helps mitigate many complications/pain by application users. But this was not been done by the individual, and so has let down the KeePass community. Later, the researcher apologized for his mistake.
- However, a fix was demonstrated very quickly. And so this vulnerability is temporary / short-lived with an updated version.
Update Pleasant Password Software
Recent releases of Password Server include other important Pleasant Password Server Security Updates that require updating for other unrelated issues.
Download unrelated security patches (Stable / Latest):
References:
KeePass:
- https://sourceforge.net/p/keepass/discussion/329220/thread/f3438e6283
- https://keepass.info/news/n230603_2.54.html
- https://keepass.info/contact.html
Bleeping Computer articles:
- https://www.bleepingcomputer.com/news/security/keepass-v254-fixes-bug-that-leaked-cleartext-master-password/
- https://www.bleepingcomputer.com/news/security/keepass-exploit-helps-retrieve-cleartext-master-password-fix-coming-soon
CVE Database: