A security vulnerability was found in KeePass 2, a popular open source password manager, earlier this year but the software’s creator has refused to issue a patch. Here’s why.
The bug is part of the password manager’s automatic update check function. The problem stems from KeePass using unencrypted HTTP requests to check for new updates and other tasks. This can be exploited by a man-in-the-middle attack.
According to Florian Bogner, an Austrian IT security expert, an attacker can make users download a dodgy update for KeePass that redirect them to a malicious download page. You can see the attack in action below:
The recommendation from Bogner is to use HTTPS encryption for update notifications and to download updates only from a trusted source. Also, it’s worth noting KeePass will only run the update checker when a user authorises it at launch.
KeePass 2’s developer Dominik Reichl had been notified of the security vulnerability back in February but he has made it clear he will not fix it as switching to HTTPS would mean losing advertisement revenue.
In a more recent update Reichl further explained:
“It is true that the KeePass website isn’t available over HTTPS up to now. Moving the update information file to a HTTPS website is useless, if the KeePass website still uses HTTP. It only makes sense when HTTPS is used for both. Unfortunately, for various reasons using HTTPS currently is not possible, but I’m following this and will of course switch to HTTPS when it becomes possible.”
From the KeyPass official website, he has recommended that users verify any downloads for KeePass:
“In order to make sure that the downloaded file is official, users should check whether the file is digitally signed (Authenticode; all KeePass binaries are signed, including the installer, KeePass.exe and all other EXE and DLL files). The digital signature can be checked using Windows Explorer by right-clicking the file -> ‘Properties’ -> tab ‘Digital Signatures’. When running the installer, the UAC dialog displays the digital signature information, i.e. users who carefully read the UAC dialog do not have to inspect the file properties separately. This is recommended for all users, independent of where you download KeePass from.”
Comments
8 responses to “KeePass Vulnerability Lets Attackers Steal Passwords (But Don’t Expect It To Be Patched)”
I’m sorry but this is a pretty substantial security flaw for a program that deals with protecting peoples passwords.
If i used this software, this news would make me quit using it.
It is and it’s surprising to see the creator so resistant in patching it due to potential loss of revenue. Without users, there would be no revenue…
I don’t understand is why he won’t develop a new version that updates from a subdomain or entirely different domain?
He should be able to keep his revenue by operating the main site over plain HTTP and have the app update securely.
Showing resistance to embrace change and instructing he’s users to manually validate the signatures of the binaries is a bit far-fetched.
But would you pay for it?
Just don’t use the updater.
If you run your systems correctly, you would download the source and then run as an administrator to install it. Not Run everything as an administrator and let everything get updated on its own.
Don’t use the updater guys. Verify the hashes, check the digital signature and if you wish to download KeePass over HTTPS go ahead and download it from FOSSHUB which starts all downloads from HTTPS. Developer of KeePass Dominik Reichl has control over these files according to his statement: “KeePass can be downloaded from many servers (SourceForge with its many mirror servers, FossHub, etc.).” Another famous password manager – Password Safe, initially developed by Bruce Schneier and now by Rony Shapiro use the same mirror FOSSHUB so it is safe.
This is total FUD. KeepPass users are very secure and have no need to worry.
The update checker ONLY says “hey there’s an update” after which you must MANUALLY goto the website and download the new version from a sourceforge mirror. The best hack you can do would be to tell the user, they there’s a fake update. All downloads are digitally signed and as always, it’s up to you to verify those signatures before installing.
Not only that the dev has enabled signing on the version file and signing has been supported in the last few versions if the program, so the “bug” has already been addressed.
Spandas Lui and Lifehacker really needed to do some more research on this post. Really poor reporting 🙁
Hi there,
I’m sorry you feel that way. I just wanted to clarify that KeePass itself has acknowledge that the vulnerability exists and has even provided a workaround for it (as detailed my my article). I never said that the update checker downloads automatically and have provided sources as to where all this information comes from.
Hope this helps!
Cheers,
Spandas
KeePass 2.34 has been released, addressing this issue. http://keepass.info/news/n160611_2.34.html
Changes from 2.33 to 2.34:New Features:
The version information file (which the optional update check downloads to see if there exists a newer version) is now digitally signed (using RSA-4096 / SHA-512); furthermore, it is downloaded over HTTPS.
Added option ‘Lock workspace when minimizing main window to tray’.
Added option ‘Esc minimizes to tray instead of locking the workspace’.
Added Ctrl+Q shortcut for closing KeePass (as alternative to Alt+F4).
Added UIFlags bit for disabling the ‘Check for Updates’ menu item.
The installers (regular and MSI) now create an empty ‘Plugins’ folder in the application directory, and the portable package now also contains such a folder.
Plugins: added support for digitally signed version information files.
Improvements:
Plugins are now loaded only directly from the application directory and from any subdirectory of the ‘Plugins’ folder in the application directory.
Improved startup performance (by filtering plugin candidates).
When closing a database, KeePass now searches and deletes any temporary files that may have been created and forgotten by MSHTML when printing failed.
CHM help file: improved high DPI support.
Various code optimizations.
Minor other improvements.
Bugfixes:
(None).
It’s been patched in version 2.34 about a week after the date of this post.
I used Wireshark to sniff the update request and verified that Keepass connects to sslsites.de on tcp port 443 (80.67.16.21).
I’ve used the SSL Server Test suite from Qualys and sslsites.de is given an “A” grade for their SSL configuration.
Also I used Microsoft’s free tool File Checksum Integrity Verifier to validate the md5sum provided by Keepass developer for my copy of keepass-2.34-setup.exe downloaded from the official site.