Severe Vulnerabilities Uncovered In Popular Password Managers

chiefcrash shares a report from ZDNet: Independent Security Evaluators (ISE) published an assessment on Tuesday with the results of testing with several popular password managers, including LastPass and KeePass. The team said that each password management solution "failed to provide the security to safeguard a user's passwords as advertised" and "fundamental flaws" were found that "exposed the data they are designed to protect."

The vulnerabilities were found in software operating on Windows 10 systems. In one example, the master password which users need to use to access their cache of credentials was stored in PC RAM in a plaintext, readable format. ISE was able to extract these passwords and other login credentials from memory while the password manager in question was locked. It may be possible that malicious programs downloaded to the same machine by threat actors could do the same. The report has summarized the main findings based on each password management solution. Here's what ISE had to say about LastPass and KeePass -- two of the most popular password managers available:

"LastPass obfuscates the master password while users are typing in the entry, and when the password manager enters an unlocked state, database entries are only decrypted into memory when there is user interaction. However, ISE reported that these entries persist in memory after the software enters a locked state. It was also possible for the researchers to extract the master password and interacted-with password entries due to a memory leak."

"KeePass scrubs the master password from memory and is not recoverable. However, errors in workflows permitted the researchers from extracting credential entries which have been interacted with. In the case of Windows APIs, sometimes, various memory buffers which contain decrypted entries may not be scrubbed correctly."

'severe'

[Njovich]

So security researchers are scraping the bottom of the barrel to such an extent that having access to program data when you have total control over a computers memory is a severe vulnerability now?

Re:'severe'

[OffTheLip]

Users of this "vulnerability" are most likely state actors/law enforcement agencies, and 3 letter organizations. They have your computer, they need your password protected data.

Re:'severe'

[AmiMoJo]

Keepass is basically as good as it can ever possibly be. The "vulnerability" they found relates to the fact that when it displays entries on screen Windows will make copies of some of the data to create the GUI, and there is no effective way to scrub that.

Which is basically irrelevant because 99% of the time the user is going to use that information on the same machine anyway, i.e. they will copy/paste it into a browser or encryption app. So the attacker needs to have control of the machine in order to read process memory, and even if somehow Keepass blocked them they could likely just recover it from keystrokes, the clipboard or the app it's being used it.

The main risk is that the app crashes and the secret data can be recovered from the crash dump, but Keepass prevents that happening. Unfortunately they don't seem to have tested that attack.

Re:'severe'

Is it bottom of the barrel? I think it's healthy to stop and think about how password managers get used. ...
but if they can also score all your usernames and passwords as well, that really does give them the keys to the kingdom.

I'd say yes, at least with their keepass results, this is bottom of the barrel.

They say this is a vulnerability in keepass, yet the only place in ram they found plaintext keys was from the windows API.
That sounds to me like a windows problem and not a keepass problem.

All passwords are going to be used to authenticate to something. If you can only get at the plaintext key after it is handed off to that something, it does seem like a huge stretch to blame the password manager for it.

Or put another way, if you remove keepass 100% from the equation, these researchers could use the exact same exploit they did to get the password you typed into a windows dialog box right from the windows API that created that dialog.

If their exploit works when typing in a password you memorized in exactly the same way it works when getting the password from keepass, as the case seems to be, it simply can't be a keepass vulnerability.

Clearly the exploit being in Windows makes it a lot worse than if it was just in the client/program you are authenticating with. Windows API will be involved with all of the passwords you use, while the client software only for what it does.

IE if you can intercept a password sent to chrome/firefox, you can get all web passwords, but your SSH client may be secure. With the problem being the windows api, both of those are equally vulnerable.

But all of those cases are long after keepass did its job, so I don't see how this is the fault of keepass like they claim.

Also entering the password by hand into a dialog will cause it to be kept in the windows API ram just the same, and I don't see why this is a keepass fault like they claim, especially for all the situations where people don't use/have/know-of keepass and have never once used it!
Yet it is the same exploit.

Grandma runs a program and types "12345" - never once heard of keepass, just types it - and according to these researchers the very fact they can find "12345" in ram left behind by a windows dialog box is somehow the fault of keepass. Again, the fault of a program not used or involved in that example!

That's why this is bottom of the barrel.

Note I'm not saying such verification and testing shouldn't be done. It absolutely should be, over and over, by as many people as possible. We don't want to miss anything.
I just feel the results should be labeled as what they are.

Re:2 Factor vaults

[plazman30]

I was thinking the same thing. You have hardware level access to a PC to the point where you can read RAM in order to get someone's master password from their password manager? Why would you bother? Just install a keylogger instead and you can have all sorts of fun.

Re:Other ways to display data

[drakaan]

Well, yes, but since you're most likely going to be doing a copy/paste out of the field with the password in it, that vulnerability is going to be eclipsed by the vulnerability of being able to grab what's in the clipboard. KeePass already doesn't show you the password by default when you open an entry. You have to click the little "show password" button. They could have easily made the password display as a bitmap image instead of text, but I'm assuming they didn't for the same reason I just mentioned. I mean, you can make it not ever display text, but instead read the password aloud, but each of the mitigations mentioned are just going to make people not use that password manager because it becomes inconvenient. Ultimately, if you don't just have all of your passwords memorized, you are vulnerable to some sort of attack that doesn't involve the wrench technique.