Yes, this was my recommendation from last week.
Today, 2.53.1 is signed with a new digital signature with a cert from Feb 8 2023.
So now all you have to do is revoke previous signatures in your Windows install.
π
4
Last edit: BK834 2023-02-08
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
You keep saying database. But you mean configuration xml file. They aren't the same.
The keepass database is an open standard and has nothing to do with this. It's like saying you can never use PDF files because Adobe 9 had weaknesses.
This vulnerability is solely in the KeePass2 application versions 2.53 and lower. It's the client software that has the issue, not the database file which is still secure.
π
2
Last edit: BK834 2023-02-08
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Yes, I mean exactly the database. Not the XML file. When a user is won to unlock the database. E.g. by phishing, then the database is broken. And here KeyPass2 has simply shown that this is possible. So the KeyPass database is death.
π
1
π
3
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
If that is what you mean... then you are just wrong.
That's not how security works. That's not how computers work. You're free to do whatever, use whatever, and call whatever you want "death". But it should have no bearing here.
π
3
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Regarding the downgrade threat, each security sensitive application should display its version on the main screen so the user can recognise a change in the version.
β€οΈ
1
Last edit: rpr 2023-02-10
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I have a question. Are Keypass2 and KeypassXC compatible with the database?
If the answer to the question is yes. Then the database format they both use is death. Because nobody will prevent me from copying an old Keypass2 installation with the appropriate settings into a KeypassXC installation.
π
1
π
2
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
That is not possible. KeepassXC cannot use the configuration of Keepass2. The database file doesn't not handle Export functions, only the client program can do that.
KeePassXC does not support Plugins and does not support Triggers, which means there is nothing that could export the database silently.
If you use KeepassXC, and an attacker copies/replaces it with an old installation of Keepass2... and you are tricked into running that different application... it'll look very different, and you'll know you've been hacked. Just don't enter your password.
π
2
Last edit: BK834 2023-02-08
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Of course, nobody prevents me from copying a portable version of KeyPass2 into the user context. When the "Enter password" window appears. Then the user certainly does not enter anything. Or maybe it is?
π
1
π
2
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I want to share some steps someone might find useful:
1. Windows offers so-called "Controlled folder access" feature. Add Keepass' config folder there
2. Launch Keepass instance and change something in Options (just to be sure it triggers saving)
3. See if CFA catches a write attempt, allow Keepass binary (this requires elevation). Save should be successful after this step.
I'll attach 2 screenshots. Just an idea, a good security measure to have anyway (protecting Documents folder from ransomware is the base use case).
As far as I can tell this "Controlled folder access" feature only works is you are using Windows Defender. If you use another Security product (e.g. Avast, that is what I have been using for years) then Defender is automatically disabled and the feature you are suggesting does not seem to work, at least on my computer (W10 Professional).
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Yes, if you want/need to run a 3rd party AV, then Defender will need to be disabled or run in Passive Mode. In which case, CFA doesn't work.
I usually recommend that users don't use non-Microsoft AV. It's been a while since the time when Microsoft wasn't the preferred method to protect it's own OS. These days, Defender AV and other exploit mitigations are all you need. #fightme
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Yes, keepass asks for a second time for the password but with the same login mask with a slightly modified popup title: "Enter current Master Key (Export)"
A normal User will think, he mistyped the master password the first time and will enter the password again. The second time the export will trigger and the attacker will still get the exported clear text password again.
SO... no fix at all!!!
π
5
π
5
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The vulnerability that is being discussed, is that not even an attentive user could detect anything was wrong.
After this fix, at least the responsibility has shifted back to the user, to at least pay attention when typing a master password.
There is nothing that can be done for a PEBKAC.
π
1
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I totally disagree with this asumption. PEBKAC issues is often linked to a non clear enough information provided. This is the exact same mechanism as phishing. You can say that all people that were abused by a phishing are idiots. I donΒ΄t. I know very smart people that have been abused just because a phishing so perfect that you cannot male the difference between real email/website and phishing email/website. Only the sender email or url can tell and the information is taking less than 1% of the screen. A banner saying "warning, this is a phishing" can really make a good job here to protect people.You can say it is PEBKAC I say it is security.
this is ecactly the same issue here. The author just incorporated a phishing in its own software. You think that your are unlocking the database to access passwords, but in fact you are exporting all database in clear text. How to make the difference? Just with a little word added in a sentence that very few people will carefully read.
the information should be presented in red, with big warnings. That's how you can do something against PEBKAC!
π
2
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Yes, this was my recommendation from last week.
Today, 2.53.1 is signed with a new digital signature with a cert from Feb 8 2023.
So now all you have to do is revoke previous signatures in your Windows install.
Last edit: BK834 2023-02-08
Cool! It seems Dominik is going to revoke previous digital signature.
Thank you, Dominik!
You keep saying database. But you mean configuration xml file. They aren't the same.
The keepass database is an open standard and has nothing to do with this. It's like saying you can never use PDF files because Adobe 9 had weaknesses.
This vulnerability is solely in the KeePass2 application versions 2.53 and lower. It's the client software that has the issue, not the database file which is still secure.
Last edit: BK834 2023-02-08
Yes, I mean exactly the database. Not the XML file. When a user is won to unlock the database. E.g. by phishing, then the database is broken. And here KeyPass2 has simply shown that this is possible. So the KeyPass database is death.
If that is what you mean... then you are just wrong.
That's not how security works. That's not how computers work. You're free to do whatever, use whatever, and call whatever you want "death". But it should have no bearing here.
Regarding the downgrade threat, each security sensitive application should display its version on the main screen so the user can recognise a change in the version.
Last edit: rpr 2023-02-10
I'm getting this:
https://sourceforge.net/p/keepass/discussion/329220/thread/fa30a8d2f7/
cheers, Paul
I've been using for years and I've never had that come up with an update. Please advise, thx
All good, disregard :)
Last edit: Robert H 2023-02-08
I have a question. Are Keypass2 and KeypassXC compatible with the database?
If the answer to the question is yes. Then the database format they both use is death. Because nobody will prevent me from copying an old Keypass2 installation with the appropriate settings into a KeypassXC installation.
The answer is: yes
That is not possible. KeepassXC cannot use the configuration of Keepass2. The database file doesn't not handle Export functions, only the client program can do that.
KeePassXC does not support Plugins and does not support Triggers, which means there is nothing that could export the database silently.
If you use KeepassXC, and an attacker copies/replaces it with an old installation of Keepass2... and you are tricked into running that different application... it'll look very different, and you'll know you've been hacked. Just don't enter your password.
Last edit: BK834 2023-02-08
Of course, nobody prevents me from copying a portable version of KeyPass2 into the user context. When the "Enter password" window appears. Then the user certainly does not enter anything. Or maybe it is?
Not realistic. I would not expect people to knowingly enter a master password for a completely different looking application.
Last edit: BK834 2023-02-08
Then our experience with windows that pop up is different. The user then says: "I signed up!" "Why doesn't it work?"
I want to share some steps someone might find useful:
1. Windows offers so-called "Controlled folder access" feature. Add Keepass' config folder there
2. Launch Keepass instance and change something in Options (just to be sure it triggers saving)
3. See if CFA catches a write attempt, allow Keepass binary (this requires elevation). Save should be successful after this step.
I'll attach 2 screenshots. Just an idea, a good security measure to have anyway (protecting Documents folder from ransomware is the base use case).
As far as I can tell this "Controlled folder access" feature only works is you are using Windows Defender. If you use another Security product (e.g. Avast, that is what I have been using for years) then Defender is automatically disabled and the feature you are suggesting does not seem to work, at least on my computer (W10 Professional).
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide#how-microsoft-defender-antivirus-affects-defender-for-endpoint-functionality
Yes, if you want/need to run a 3rd party AV, then Defender will need to be disabled or run in Passive Mode. In which case, CFA doesn't work.
I usually recommend that users don't use non-Microsoft AV. It's been a while since the time when Microsoft wasn't the preferred method to protect it's own OS. These days, Defender AV and other exploit mitigations are all you need. #fightme
Dear Dominik Reichl,
when will we see an update that fixes the export trigger vulnerability issues?
2.53.1 released yesterday.
https://keepass.info/news/n230109_2.53.html
cheers, Paul
In the actual version 2.53.1 you have to provide the master password for any export.
This can no longer be controlled by the config file.
I tested the new version 2.53.1
Yes, keepass asks for a second time for the password but with the same login mask with a slightly modified popup title: "Enter current Master Key (Export)"
A normal User will think, he mistyped the master password the first time and will enter the password again. The second time the export will trigger and the attacker will still get the exported clear text password again.
SO... no fix at all!!!
Sorry, but this is nonsense.
It fixes the way one could use to make an hidden password export.
There is no way against silly users.
The vulnerability that is being discussed, is that not even an attentive user could detect anything was wrong.
After this fix, at least the responsibility has shifted back to the user, to at least pay attention when typing a master password.
There is nothing that can be done for a PEBKAC.
I totally disagree with this asumption. PEBKAC issues is often linked to a non clear enough information provided. This is the exact same mechanism as phishing. You can say that all people that were abused by a phishing are idiots. I donΒ΄t. I know very smart people that have been abused just because a phishing so perfect that you cannot male the difference between real email/website and phishing email/website. Only the sender email or url can tell and the information is taking less than 1% of the screen. A banner saying "warning, this is a phishing" can really make a good job here to protect people.You can say it is PEBKAC I say it is security.
this is ecactly the same issue here. The author just incorporated a phishing in its own software. You think that your are unlocking the database to access passwords, but in fact you are exporting all database in clear text. How to make the difference? Just with a little word added in a sentence that very few people will carefully read.
the information should be presented in red, with big warnings. That's how you can do something against PEBKAC!