You better disable update checks in KeePass 2 - gHacks Tech News

You better disable update checks in KeePass 2

A security vulnerability in the popular password manager KeePass 2 was disclosed recently affecting all versions of the password manager but only if automatic update checks are enabled.

KeePass 2 ships with an option to check periodically for program updates. While update checks are performed if the feature is enabled, automatic downloads and installations of updates is not supported.

Basically, what happens is that KeePass communicates with a service to see if an update is available. Users may then click on the update notification if an update is available to open a page on the Internet that provides them with a download of the new version of the password manager.

The vulnerability exploits the fact that KeePass 2 performs update checks over HTTP and not HTTPS. An attacker could exploit this by intercepting update requests, for instance on a local network, sending manipulated update information to the KeePass 2 client, and getting users to open a site on the Internet where a fake version of KeePass is offered on (or other things happen, e.g. drive by downloads).

The developer of KeePass won't fix the issue according to the report.

Update: The KeePass information file will be digitally signed as of KeePass 2.34, and the software will only accept the information if the signature can be verified. Source

How to protect yourself

KeePass 2 update checks

Existing KeePass users have two options when it comes to the issue. The easier option involves disabling update checks in the client.

This is done in the following way:

  1. Open the KeePass 2 software on your system.
  2. Select Tools > Options from the menu at the top.
  3. Switch to the Advanced tab in the options window, and remove the checkmark from "Check for update at KeePass startup" there.

The downside of the method is that you would have to find a way to stay informed in regards to updates. You could visit the developer website regularly for that, or subscribe to the KeePass RSS Feed instead if you are using a RSS reader.

You could keep update checks enabled on the other hand but instead of clicking on the link provided by KeePass when updates are found, visit the KeePass website manually instead to download updates from it this way.

Both methods work just fine but add a level of inconvenience to the update checking and downloading process. Still, it is recommended to make use of either one of them to protect one of the most important programs on the computer.

Now You: How do you handle updates in general?

Summary
You better disable update checks in KeePass 2
Article Name
You better disable update checks in KeePass 2
Description
A security vulnerability in the popular password manager KeePass 2 was disclosed recently affecting all versions of the password manager but only if automatic update checks are enabled.
Author
Publisher
Ghacks Technology News
Logo




  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:

    Comments

    1. Patrick van Elk said on June 3, 2016 at 9:53 am
      Reply

      “The developer of KeePass won’t fix the issue according to the report.”

      Well… he says he CAN’T fix it instead of he WONT:
      https://sourceforge.net/p/keepass/discussion/329220/thread/e430cc12/#f398

      1. Joker said on June 3, 2016 at 1:26 pm
        Reply

        “Unfortunately, for various reasons using HTTPS currently is not possible”
        The reasons are ads. Nothing else.

    2. Emma D. said on June 3, 2016 at 1:34 pm
      Reply

      Time to move to doogiePIM, me thinks.

    3. Tom Hawack said on June 3, 2016 at 1:43 pm
      Reply

      Be it the developer of KeePass can’t or won’t let the application perform update checks over HTTPS rather than HTTP doesn’t change much to it as far as I’m concerned because my policy regarding applications’ updates is to block their auto-update check and especially download (when no option I block the app’s Internet connection with the very basic but efficient ‘Firewall App Blocker’). When an update is available (availability found on most software sites) I download that update from the app’s homepage with Firefox, scan it with VirusTotal, and then update manually. I’m also aware that it is not because previous versions of an app have been checked successfully with VirusTotal that it means the latest version is clean as well : it would be really vicious for a developer to have maintained a clean app for years, enabling confidence, to better one day spoil it with malware. It can happen even if it is unlikely. “Unlikely” has always been and always will be the source of many problems, on the Web as everywhere and security means checking your very best friend, that’s the way it goes. If he/she is a friend he/she won’t mind. No exception in this mad mad world bound to become what science-fiction authors imagined thirty years ago, a world in the continuum caution to suspicion to paranoia… or trust and take that chance.

    4. CHEF-KOCH said on June 3, 2016 at 1:56 pm
      Reply

      I disable all internal update checks on each of my installed software and better check against SUMo. After that I usually download the new Version/Update from the official page. Of course the page also could be infected but it’s not possible to integrate update mechanism or an page which is 100% secure (dive-by infection/MITM).

      I’m a bit disappointed but I could understand that this is not easy to fix. Especially because we now get Ads directly within the OS which is (imho) a security risk. I think that was a bi mistake.

    5. Dave said on June 3, 2016 at 1:57 pm
      Reply

      He could solve this by removing the option to fetch updates, and replace it with a message telling you to go to the KeyPass website to get a new version when it’s available. This has the advantage of serving more ads to more website visitors. MIM attacks would still be possible, but the software would not have a vulnerability. Solved.

      1. Anon said on June 3, 2016 at 5:02 pm
        Reply

        That’s how it works now: the program directs you to the website when there’s a new version available.

      2. Matt said on June 7, 2016 at 6:38 pm
        Reply

        That’s already what KeePass does. It has never downloaded updates. It only checks for a new version and displays a notification.

        1. anon06 said on January 10, 2017 at 6:47 pm
          Reply

          That is not what it does. The prompt provides a link to direct you to the keepass page. I believe what he is saying is to eliminate the link and leave only the text directive.

    6. kalmly said on June 3, 2016 at 2:10 pm
      Reply

      Thanks for the warning Martin, and thanks to Tom Hawack too. I do let a very few apps check for updates, and KeePass is one of them. I will be changing that right now.

    7. Never Update said on June 3, 2016 at 3:06 pm
      Reply

      Never update something that works flawlessly. Also, check comments about passwords (and how to have secure passwords by never storing them):
      https://www.ghacks.net/2016/05/30/microsofts-password-recommendations/

      1. Anon said on June 3, 2016 at 5:03 pm
        Reply

        Bad advice: just because something works flawlessly doesn’t mean it doesn’t have a major security flaw.

    8. Vrai said on June 3, 2016 at 3:19 pm
      Reply

      Well this news is kind of a ‘bummer’ :( I rather like KeePass.

      It is ironic that automatic updating which should make a system more secure is actually a security vulnerability in itself. A great many applications and IoT devices are checking for updates via insecure methods.

      I stopped allowing any application to automatically check for and install updates a long time ago (AV definitions being an exception). Often updates were not security related but just UI or feature changes, many of which I did not like or want, and I wanted the old version back! Lesson learned.

    9. Patrick said on June 3, 2016 at 3:21 pm
      Reply

      Thank you Martin for this article on Keepass. I am guilty of having Keepass check for updates and clicking hyperlink to update.

    10. Jeff-FL said on June 3, 2016 at 3:32 pm
      Reply

      Easy solution: go to Ninite and get Keepass there – save the ninite.exe and name it keepass updater. Either run it manually occasionally, or set up Windows task scheduler to run it at any interval you choose. Ninite will safely handle the update for you.

      I have a single ninite exe that contains 10 or 12 programs that i run twice a week to check for updates for all of them at once. I never let apps auto-check for updates.

      1. Patrick said on June 3, 2016 at 3:50 pm
        Reply

        Thank You for the tip. Brilliant idea.

    11. Tim said on June 3, 2016 at 3:37 pm
      Reply

      I’ve never liked third-party software auto-updating itself for my own computers anyway, so manually keep track of third-party vendor updates with RSS feeds. However Windows Smartscreen Filter was made system wide from Windows 8 onwards (rather than just through Internet Explorer), so for those who are using Windows 8 and above, wouldn’t a fake MITM update be flagged by Windows Smartscreen Filter anyway.

      Not so long ago Windows Smartscreen Filter wouldn’t even let me install a legitimate version of Keepass because I didn’t have an administrator password set for the account in order to bypass the warning dialogue. It was only for Keepass and I think that was because Keepass at the time was only code-signed with a SHA-1 code-signing cert (Keepass have since changed that to a SHA-256 cert). So a fake update with no code-signing cert and without any Smartscreen reputation validation surely won’t just be able to bypass Smartscreen filter and auto-install would it?

      I’m not trying to make excuses for them not using HTTPS, just trying to figure out the real-life implications.

      1. Tim said on June 3, 2016 at 3:56 pm
        Reply

        Just to add, this also highlights why I think it’s strange that some people are for some bizarre reason are against Windows Store, where with ‘Project Centennial’, software vendors will be able to just let Microsoft take care of the hassle of the payment, distribution and updating mechanisms. Well for Windows 10 users at least.

        1. Jason said on June 3, 2016 at 6:40 pm
          Reply

          I don’t think anyone is against the Windows Store per se. The complaints are more about the business practices associated with the store. You’re right that there are lots of security benefits to a centralized software distribution network (and a disadvantage too. Compromise the network and you compromise everything).

    12. Wayfarer said on June 3, 2016 at 4:47 pm
      Reply

      I’ve used KeePass (portable version) for years – always been very happy with it. It does most things I need and very few things I don’t – something I find rare in any software.

      But anything as sensitive as a password safe is blocked at my firewall as a matter of course, whatever the options settings. Manually checking for updates once in a while is hardly a labour of hercules. I find Sumo a huge help (though I still go to developers’ websites for the files.)

      I wouldn’t touch any cloud password storage software, and I don’t trust browser password storage.

      There are, of course, many ways to compromise passwords while they’re actually in use, and I worry far more about browser and website security than my own password storage.

    13. Anon said on June 3, 2016 at 5:09 pm
      Reply

      This isn’t a big deal IMO: in the incredibly unlikely event that my update check was intercepted, not only are updates not downloaded automatically but I would see if I was redirected to another site from which to download the new version.

      1. Wayfarer said on June 3, 2016 at 6:47 pm
        Reply

        You’re right of course. But I block any password safe from net access on principle (don’t use cloud password safes anyway) – simply because I think it’s important to control access to anything so important. That’s why I use portable versions too. For me the updating is a side issue – a casualty of my paranoia… ;o)

    14. Ben said on June 4, 2016 at 12:23 am
      Reply

      Does this shitty updater not even check signatures then?
      Wow.

      1. Matt said on June 7, 2016 at 6:36 pm
        Reply

        KeePass doesn’t contain an updater. You have to manually download and install any updates which are digitally signed.

    15. Pete said on June 4, 2016 at 12:10 pm
      Reply

      Is this vulnerability only in KeePass version 2?

      Because you know, both KeePass versions, 1.x and 2.x series are developed at the same time.

      KeePass 2.x series is NOT an update per se from 1.x series, the 2.x series is a completely different application.

      I’m still using KeePass 1.x series because 2.x series is not truly portable (requires .NET).

    16. clas said on June 4, 2016 at 1:17 pm
      Reply

      Password Safe is a good alternative.

    17. someone said on June 4, 2016 at 1:50 pm
      Reply

      I always block programs in Windows firewall that do not need internet access to function… glad to see that my paranoia was not unfounded hehe

      1. Tom Hawack said on June 4, 2016 at 2:20 pm
        Reply

        “Just because you’re paranoid doesn’t mean they aren’t after you.”
        ― Joseph Heller, Catch-22

        I thought until yesterday that the above quote was from Woody Allen when it appears to be from Joseph Heller.

        Anyway I totally agree with your policy of blocking programs’ connections when those connections are not needed, even if whatever is found in an application is “always for a better service” (this leitmotiv has become so spread that I just cannot help myself from laughing in silently each time I read this sort of bullsh!t :)

        The good, the bad and the aware! Yet, as Louis Armstrong sings it, “what a wonderful world”. But I never forget what I learned many years ago which is that we share an oppressor’s responsibility when we remain inactive in the face of his assaults. So, for their good, let us block them intruders :)

      2. clas said on June 5, 2016 at 12:35 pm
        Reply

        Someone and Tom: just wanted to thank you for giving my brain a good nudge. have used windows firewall for years and never blocked outgoing from programs…just didnt think of it. but i read comments and yours just hit that sweet spot so i googled it and learned. now have about 20 programs blocked from outgoing and will do more today. thanks again for one of those side-effect bonus’ of Ghack’s comments forum.

    18. wonton said on June 6, 2016 at 5:26 am
      Reply

      what is funny here is the developer clearly wants ad money but clearly has no clue. google adsense ads work on https so no revenue would be lost. the developer could have saved all this BS from the get go and switched to https but greed clearly shined here showing the developers true colours MONEY OVER SECURITY.

      maybe the developer should have researched more about google adsense.

      1. Martin Brinkmann said on June 6, 2016 at 6:35 am
        Reply

        Ad revenue drops by up to 10% when you switch to HTTPS and use Adsense.

    19. Matt said on June 7, 2016 at 6:31 pm
      Reply

      Martin, I’m confused by the part of the article where you say that this could be used to get “users to open a site on the Internet where a fake version of KeePass is offered”. Could you elaborate?

      The update.txt file that’s retrieved from the web site by KeePass only contains information about version numbers. The link in the update dialog box is hard coded into the KeePass executable. How exactly would changing the update.txt file via a MitM attack do anything other than cause a notification to appear on startup?

      1. Martin Brinkmann said on June 7, 2016 at 6:45 pm
        Reply

        Matt, an attacker could intercept not only the update request but also the user’s click on that link. But since things have been improved already, that’s probably not really a issue anymore.

    20. Anonymous said on June 14, 2016 at 4:41 pm
      Reply

      All you people who like KeePass; I do urge you to donate 1€ today. It’s an amazing and important software and the developers are very keen on improving it.

    Leave a Reply