KeePass CVE-2023-32784: Detection of Processes Memory Dump

-



A new vulnerability CVE-2023-32784 was discovered that affected KeePass. KeePass is a popular open source password manager which runs on Windows, Mac, or Linux. The vulnerability allows the extraction of the master key in cleartext from the memory of the process that was running. The master key will allow an attacker to access all the stored credentials.

We strongly recommend updating to KeePass 2.54 to fix the vulnerability.

In this article we explain the new vulnerability CVE-2023-32784, how it works, and how to detect this type of attack when the attacker gains full access to your system and performs advanced techniques to steal your credentials.


Credentials in Memory Linux

When we talk about credentials in Linux, we usually think of the /etc/shadow file, but that is not the only place where passwords can be stored. Many processes also store credentials in memory, which malicious tools will try to extract. For example, the proc directory described below is a popular vector for this type of attack.

From the Linux Kernel Doc:

“The directory /proc contains (among other things) one subdirectory for each process running on the system, which is named after the process ID (PID).”

MITRE defined that the adversaries may gather credentials from the proc filesystem as OS Credential Dumping: Proc Filesystem T1003.007.

What is KeePass CVE-2023-32784?

CVE-2023-32784 allows the recovery of the cleartext master password from a memory dump. The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system.

KeePass 2.X uses a custom-developed text box for password entry, SecureTextBoxEx. The flaw exploited in this CVE is that for every character typed, a leftover string is created in memory. Because of how .NET works, it is nearly impossible to get rid of it once it gets created. For example, when “Password” is typed, it will result in these leftover strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d. The first character cannot be recovered.

The PoC we use follows the steps below to extract the KeePass secret key:

First, scan all /proc/<pid>/cmdline files and store the pid of ones with the keyword KeePass.

Then, acquire the addresses of memory maps in /proc/<pid>/maps that aren’t directly associated with a library.

Finally, store the memory of all those maps into a buffer by taking advantage of /proc/<pid>/mem. Parse the memory to try and find leftover strings from when the user typed their master password, strings that look like •a, ••s, •••s, in sequence.


As we can see in the image above, the master key is exposed without the first character.

How to Detect KeePass CVE-2023-32784

To detect this type of attack, we should be able to monitor access to the /proc folder by an unknown process. This will trigger an alert and we can investigate further.

If we try to detect this with Falco, an open source project under the CNCF, it provides real-time detection of unusual activities in cloud-native environments by sending alerts. In this scenario, we need to adjust the rule Read environment variable from /proc files or create a new one.

To correctly trigger this rule, we should modify the condition to catch the read of /proc/<pid>/cmdline, /proc/<pid>/maps, or /proc/<pid>/mem, which is used in the PoC to obtain the KeePass master password.

With this new rule, we are able to detect the exploitation of CVE-2023-32784.


The alert contains all the information we needed to continue investigating the threat.

As mentioned in the exploit, if the attacker has sufficient permissions and capabilities within your machine, the attacker may be able to perform any malicious action. However, this rule can give us an indication of whether our credentials have been breached and act accordingly.

Reference:https://sysdig.com/blog/keepass-cve-2023-32784-detection/



M.H

Comments

Post a Comment

Popular posts from this blog

CISA and ENISA enhance their Cooperation

-
Image
  The European Union Agency for Cybersecurity (ENISA) has signed a Working Arrangement with the Cybersecurity and Infrastructure Security Agency (CISA) of the US, in the areas of capacity-building, best practices exchange and boosting situational awareness. Geopolitics have shaped the cyber threat landscape, bringing like-minded partners closer together in the wake of common cyber challenges and advances in digital technologies. Today at the EU-US Cyber Dialogue, ENISA and CISA announced the signing of their Working Arrangement as an important milestone in the overall cooperation between the United States and the European Union in the field of cybersecurity, also following the Joint Statement of European Commissioner Thierry Breton and U.S. Secretary for Homeland Security Alejandro Mayorkas of January 2023. ENISA’s International Strategy directs the Agency to be selective in engaging with international partners and to limit its overall approach in international cooperation to those are
Read more

The Imperva Content Delivery Network (CDN) to Improve website experience globally

-
Image
Today’s website visitors expect a fast and efficient user experience with no delays or site performance issues. However, high traffic volumes and global reaching websites mean website managers are faced with the challenge of added latency and slow page load times, which can result in lost business. According to WebSiteBuilderExpert.com, 1 in 4 site visitors would abandon a website that takes more than 4 seconds to load. And 46% of site visitors do not revisit poorly performing websites, according to Unbounce.com. A strong Content Delivery Network   (CDN) is critical for website managers and businesses that rely on their websites for success, and here are ten reasons why. Improve your engagement Faster site speed times and more responsive websites bring results in more conversions. As little as a  one-second delay  in page load time can reduce customer satisfaction by 16%. Slow page load times According to  Unbounce , ‘Nearly 70% of consumers admit that page speed influences their likel
Read more

SmartScreen Vulnerability: CVE-2024-21412 Facts and Fixes

-
Image
On Feb. 13, 2024, Microsoft issued a  patch  for CVE-2024-21412, a  Microsoft Defender SmartScreen  vulnerability revolving around internet shortcuts. Previously, we discovered that an advanced persistent threat (APT) group we track under the name Water Hydra has been exploiting CVE-2024-21412 in a sophisticated campaign targeting financial market traders, allowing the group to bypass Microsoft Defender SmartScreen and infect its victims with the DarkMe remote access trojan (RAT). Threat actors are constantly finding new ways of identifying and exploiting gaps to bypass security measures. We found that the bypass of CVE-2023-36025 (a previously patched SmartScreen vulnerability) led to the discovery and exploitation of CVE-2024-21412. This highlights how threat actors can circumvent patches by identifying new vectors of attack around a patched software component. It is important that organizations are able to identify and mitigate vulnerabilities, especially zero-days, in a timely mann
Read more