KeePass 2.34 plugs security issue - gHacks Tech News

KeePass 2.34 plugs security issue

A recently disclosed man-in-the-middle vulnerability in the popular password manager KeePass has been fixed in KeePass 2.34.

The issue required some preparation on part of the attacker to be exploited successfully. It took advantage of KeePass' update check mechanics which did not verify the information provided by the KeePass server nor use a secure transfer protocol for transmitting them to the user system.

An attacker could manipulate the information to inform users about new updates, and then deliver a manipulated copy of KeePass to the user when downloads are initiated.

Attackers can exploit the issue for targeted attacks only, and users would have to perform update checks from within KeePass and click on the link to download the new version of the program from the website without verifying its signature.

KeePass 2.34

keepass 2.34

It is recommended to download KeePass 2.34 from the developer website directly to avoid potential issues.

KeePass 2.34 patches the update check issue by sending the version information file over HTTPS, digitally signing in, and setting up the password manager so that it will only accept version information files that are digitally signed.

This prevents man in the middle attacks targeting the file plugging the security issue in the process.

Side note: All KeePass binaries are signed, and it is easy enough to verify that the digital signature is correct. To verify the signature, open the KeePass directory on your system, right-click on any executable file, select properties from the menu, and switch to "digital signatures" afterwards.

The signature should read "Open Source Developer, Dominik Reichl". If that is the case, the file is legitimate.

keepass signature

Other changes in KeePass 2.34

The new version of the password manager ships with other improvements and even some new features that are worth a closer look.

First, there is a new option to lock the workspace when the main KeePass window is minimized to the tray.

KeePass users know that they can configure the program to auto-lock the database that is loaded in the program on certain events, such as on inactivity, when the computer is locked, or when the remote control mode changes.

keepass lock

The new option is useful only if KeePass is configured to minimize to the system tray instead of the taskbar. You find the preferences under Tools > Options > Security, and Tools > Options > Interface.

The author added two new shortcuts to KeePass that control the program's state. Ctrl-Q works like Alt-F4 in that it closes KeePass when invoked, while ESC may be mapped to minimize the main window to the system tray in the preferences.

The KeePass 2.34 installer and portable versions create a plugins folder automatically now under root that is empty by default. Plugin version information files support signing now, and they are loaded directly from the application directory and any subdirectory of the Plugins folder.

Existing KeePass users may notice startup performance improvements in the latest version thanks to the filtering of plugin candidates.

Last but not least, KeePass 2.34 searches and deletes temporary files created and forgotten by MSHTML after print jobs failed.

Closing Words

KeePass 2.34 plugs the recently disclosed security issue, and introduces some new features to the password manager on top of that.

Summary
KeePass 2.34 plugs security issue
Article Name
KeePass 2.34 plugs security issue
Description
A recently disclosed man-in-the-middle vulnerability in the popular password manager KeePass has been fixed in KeePass 2.34.
Author
Publisher
Ghacks Technology News
Logo




  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:

    Comments

    1. Pete said on June 13, 2016 at 11:40 am
      Reply

      Martin, could you please take consideration of this, from the keepass website:

      KeePass currently is available in two different editions: 1.x and 2.x. They are fundamentally different (2.x is not based on 1.x). They mainly differ in portability and functionality:

      KeePass 1.x: Runs on all Windows systems with GDI+ (already included in Windows XP and higher). Does not need to be installed; is portable. Fewer features than 2.x.
      KeePass 2.x: Runs on all Windows systems with Microsoft .NET Framework 2.0 or higher (already included in Windows Vista and higher) and other operating systems (Linux, Mac OS X, etc.) with Mono. Does not need to be installed; is portable.

      I’d like you to acknowledge this in your articles about Keepass. There are people using 1.x edition. Thanks.

    2. CHEF-KOCH said on June 13, 2016 at 12:52 pm
      Reply

      I never get the point about the ‘portable’ hype, it mostly requires more space because additional dependencies and libraries. If you want to test it, you can create a Sandbox or VM or a MemoryDrive. If you want it because usb stick, then in most cases you simply can install into appdata anyway (no special access needed).

      V1 or 2 who really cares? Both of them are same secure, as mentioned you simply could disable update or just install now this version and everything should be fine.

      I’m thankfully that we get a fix even after the author said it will not be fixed:
      https://sourceforge.net/p/keepass/discussion/329220/thread/e430cc12/#f398

      What we want more? 10 days to fix this was not that long. :)

      1. Pete said on June 13, 2016 at 6:06 pm
        Reply

        Your opinion is not the “correct” one that everybody else should follow. Also, learn some manners. Now you appear as a know-it-all & I’m right -ahole.

    3. Tim said on June 13, 2016 at 2:03 pm
      Reply

      I would imagine if you want to use it between multiple devices from USB stick. Or to temporarily use it on a family members machine (if for example you keep your elderly family members on-line credentials with your own passwords due to their dementia and you set up and maintain their PC’s for them). Etc.

      What I don’t understand why you would want to create a Sandbox or VM or a MemoryDrive or install into appdata, when you can just run it straight from a USB stick.

    4. CHEF-KOCH said on June 13, 2016 at 2:39 pm
      Reply

      The Keepass addon (official chrome) can do this via cloud within the browser (or as fallback from the database file offline on storage). I not know if the Firefox addon already got that ability too, because last time there was no cloud support implemented.

      The things with usb stick is, especially if your entire family or friends have access to it, get’s easier infected as the OS because you maybe use this stick in other systems which are already infected or someone ‘accidentally’ infect it – drive-by infection works exactly like this, email attachments, usb sticks and more. Stuxnet was also done via USB-Stick, and I was never really a friend of USB-sticks.

      I think if you often have such cases a Sandbox would be the best solution, so that everyone can only get access in this and after all is done it will be deleted. Of course everyone can do whatever he/she wants but it’s simply easier and you not need to worry about everything (or less). :)

    5. Tony said on June 13, 2016 at 8:58 pm
      Reply

      “The signature should read ‘Open Source Developer, Dominik Reichl’. If that is the case, the file is legitimate.”

      This is trivial for someone to spoof.

      For example, would you notice if the signature read ‘Open Source Developer, Dominik Reich’? Probably not. But that’s a completely different signature (look closely).

      Or what about ‘Open Source Developer, Dominic Reichl’? Would you notice that?

      It’s also trivial to obfuscate the fake signature even more subtlety using non-standard characters that look like standard characters.

      Trying to visually compare signature names, in practice, is useless and is not advised.

    6. Patrick said on September 18, 2016 at 8:02 pm
      Reply

      Buy a USB flash drive with a “write protect” switch. You won’t have to be concerned about infections.

    Leave a Reply