Security Hole Found in KeePass Password Manager

Earlier today researcher Benjamin Kunz Mejri, Vulnerability Lab, reported to ThreatPost that he had found a vulnerability in the open-source password manager, KeePass.

The vulnerability is supposedly in the way the application filters and validates data. If exploited, the vulnerability could be used to inject malicious scripts. To work though it’d require a number of conditions to be met:

  • Need a manipulated URL with malicious script code;
  • Logging server with read, write and execute permissions;
  • A listing File;
  • Valid KeePass user;

If all conditions are met, then the attacker would be able to steal the victims passwords.

Benjamin classifies the vulnerability as Medium, but the vendor responded saying it was better classified as Minor. The vendor, creator Dominik Riechi, appears to classify it as such because of how impractical a vulnerability it is. For it to work, “an attacker would need to make a user import malicious data without noticing it, export the database to an HTML file and  open it.”

I can’t help but agree, based on the conditions it does appear to be a minor issue, but Benjamin seems to think that it is remotely exploitable. He goes on to say how, but again, it’d require specific actions from the user which again adds to the unlikely nature of the exploit. The user would have to take the malicious site and save it to their KeePass install for it to work. Again, just not very practical in my opinion.

Its one thing inadvertently visiting a malicious site, it’s another visiting a malicious site then actively saving it to your password manager. Just too unlikely, which leads me to be on the vendor’s side in terms of classification.

Regardless, if you’re a developer, the developer version does have a fix for it. For all other users, the next build will include a fix.