BSI warnt vor KeePassXC-Schwachstellen / BSI warns of vulnerabilities in the password manager KeePassXC (www.heise.de)

submitted 2 years ago by 73kk13@discuss.tchncs.de to c/foss@beehaw.org

22 comments fedilink hide all child comments

heisec@social.heise.de - BSI warnt vor KeePassXC-Schwachstellen

Das BSI warnt vor Schwachstellen im Passwort-Manager KeePassXC. Angreifer können Dateien oder das Master-Passwort ohne Authentifzierungsrückfrage manipulieren.

[The BSI warns of vulnerabilities in the password manager KeePassXC. Attackers can manipulate files or the master password without authentication confirmation.]

top 21 comments

sorted by: hot top controversial new old

[-] laskobar@feddit.de 8 points 2 years ago

Lock the pc, if you leave and lock the db, if pc is locked, lid is closed and this is absolute a non-issue.

German BSI is sometimes a little bit over motivated ;-)

[-] veloxization@yiffit.net 7 points 2 years ago* (last edited 2 years ago)

KeePassXC is not affected by this vulnerability.

[-] lowleveldata@programming.dev 2 points 2 years ago* (last edited 2 years ago)

CVE-2023-32784

That's not the issue mentioned in the article. Which is CVE-2023-35866.

[-] veloxization@yiffit.net 1 points 2 years ago* (last edited 2 years ago)

gotcha

Added to original comment. Both are recent issues, so confusion is forgivable.

[-] Irisos@lemmy.umainfo.live 1 points 2 years ago

This is also the vulnerability that made many people delete Keepass 2 for XC many months ago so it is very strange that they make an article that sounds like it's a new vulnerability.

[-] dog@suppo.fi 2 points 2 years ago* (last edited 2 years ago)

Wrong vulnerability. The discovered one is CVE-2023-35866, which is still pending verification* (analysis).

This affects KeePassXC. https://nvd.nist.gov/vuln/detail/CVE-2023-35866

[-] Irisos@lemmy.umainfo.live 1 points 2 years ago

Thanks for the correction. In that case going to be interesting how this issue progress.

[-] eayeith697@iusearchlinux.fyi 5 points 2 years ago

Here is KeePassXC's response: https://keepassxc.org/blog/2023-06-20-cve-202335866

Basically some random guy with weird misconceptions about security decided this was an issue, it's obviously not. Honestly concerning that he was able to easily get a CVE for this and even get articles about it published on some websites.

[-] lowleveldata@programming.dev 4 points 2 years ago* (last edited 2 years ago)

Can't read German. What is required to perform this attack?

[-] lowleveldata@programming.dev 5 points 2 years ago

Ok I checked it up (CVE-2023-35866). It basically says an attacker may export everything if they have access to your unlocked database. Which seems... obvious? The project contributors says it's not a vulnerability which I incline to agree.

[-] interolivary@beehaw.org 7 points 2 years ago

You mean to say that if I leave my door unlocked, somebody might come in? This is shocking news!

[+] koenada@beehaw.org 2 points 2 years ago

[deleted]

[-] blackstrat@lemmy.fwgx.uk 2 points 2 years ago

It's a denial of service vulnerability. Requiring the existing master password to change the master password will stop a drive by miscreant denying you access to your db. And password change system I've ever used has required the existing password to he entered first.

Likewise a full db export feel like a big enough deal to require authorization.

If you're careful and lock your machine when you leave it then you should be pretty safe. I'm surprised these aren't already features.

[-] Eufalconimorph@beehaw.org 4 points 2 years ago

No, requiring the existing master password won't help. A drive by miscreant with access to an unlocked computer with an unlocked DB can delete all the DB entries. If the DB is locked they can just delete the DB file. KeePassXC can't defend against this, that takes properly functioning versioned backups.

[-] blackstrat@lemmy.fwgx.uk 1 points 2 years ago

yeah, maybe denial of service isn't it. I replied to a comment above why I think it should still be protected functionality to help prevent data leak.

[-] hello_world@feddit.uk 0 points 2 years ago

They could just delete the file to deny you access to your db?

[-] blackstrat@lemmy.fwgx.uk 1 points 2 years ago

Yeah, that's fair. But a full db export that they could then email themselves. It'd be nice to have some more protection against that. Or Change the master password and email the encrypted file to themselves.

load more comments

this post was submitted on 20 Jun 2023

15 points (100.0% liked)

Free and Open Source Software

18022 readers

52 users here now

If it's free and open source and it's also software, it can be discussed here. Subcommunity of Technology.

This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago

MODERATORS

Gaywallet@beehaw.org

alyaza@beehaw.org