heisec@social.heise.de - BSI warnt vor KeePassXC-Schwachstellen

Das BSI warnt vor Schwachstellen im Passwort-Manager KeePassXC. Angreifer können Dateien oder das Master-Passwort ohne Authentifzierungsrückfrage manipulieren.

[The BSI warns of vulnerabilities in the password manager KeePassXC. Attackers can manipulate files or the master password without authentication confirmation.]

  • sudo_su@feddit.de
    link
    fedilink
    arrow-up
    3
    ·
    2 years ago

    Lock the pc, if you leave and lock the db, if pc is locked, lid is closed and this is absolute a non-issue.

    German BSI is sometimes a little bit over motivated ;-)

    • NightDice@feddit.de
      link
      fedilink
      arrow-up
      1
      ·
      2 years ago

      You don’t even need to lock the pc, locking the db is sufficient. The issue allows changing the settings on unlocked databases without needing to re-confirm (at least according to the article).

  • flatbield@beehaw.org
    link
    fedilink
    arrow-up
    1
    ·
    2 years ago

    Do we know mechanism of access. You have to be on same users account or you have to be on same machine only as any user? If same users account, what do they expect? Anyone running as you has total access to your stuff anyway. Is there anyway around that?

    Thoughts?

    • blackstrat@lemmy.fwgx.uk
      link
      fedilink
      arrow-up
      1
      ·
      2 years ago

      It’s a denial of service vulnerability. Requiring the existing master password to change the master password will stop a drive by miscreant denying you access to your db. And password change system I’ve ever used has required the existing password to he entered first.

      Likewise a full db export feel like a big enough deal to require authorization.

      If you’re careful and lock your machine when you leave it then you should be pretty safe. I’m surprised these aren’t already features.

      • Eufalconimorph@beehaw.org
        link
        fedilink
        arrow-up
        3
        ·
        2 years ago

        No, requiring the existing master password won’t help. A drive by miscreant with access to an unlocked computer with an unlocked DB can delete all the DB entries. If the DB is locked they can just delete the DB file. KeePassXC can’t defend against this, that takes properly functioning versioned backups.

        • blackstrat@lemmy.fwgx.uk
          link
          fedilink
          arrow-up
          1
          ·
          2 years ago

          yeah, maybe denial of service isn’t it. I replied to a comment above why I think it should still be protected functionality to help prevent data leak.

        • blackstrat@lemmy.fwgx.uk
          link
          fedilink
          arrow-up
          1
          ·
          2 years ago

          Yeah, that’s fair. But a full db export that they could then email themselves. It’d be nice to have some more protection against that. Or Change the master password and email the encrypted file to themselves.

    • 73ʞk13OP
      link
      fedilink
      arrow-up
      3
      ·
      edit-2
      2 years ago

      There is if you click on the image.

    • chaddy@feddit.de
      link
      fedilink
      arrow-up
      3
      ·
      2 years ago

      On Jerboa(List View) the link is on the thumbail, maybe it’s the same in the browser version. Keep in mind that the article on heise is in german.

  • itsame@lemmy.world
    link
    fedilink
    arrow-up
    1
    ·
    2 years ago

    Attackers can manipulate files or the master password without authentication confirmation.

    This is in my view incorrect. It should be: If an attacker gains access to a computer where a user has unlocked the KeePass DB, the attacker has access to all data and can switch off 2FA and change password, the software does not ask to enter the password again.

    The key is that the user must unlock the data first. It is a vulnerability, but the way it is classified by BSI is questionable.