Severe Vulnerabilities Uncovered In Popular Password Managers

chiefcrash shares a report from ZDNet: Independent Security Evaluators (ISE) published an assessment on Tuesday with the results of testing with several popular password managers, including LastPass and KeePass. The team said that each password management solution "failed to provide the security to safeguard a user's passwords as advertised" and "fundamental flaws" were found that "exposed the data they are designed to protect."

The vulnerabilities were found in software operating on Windows 10 systems. In one example, the master password which users need to use to access their cache of credentials was stored in PC RAM in a plaintext, readable format. ISE was able to extract these passwords and other login credentials from memory while the password manager in question was locked. It may be possible that malicious programs downloaded to the same machine by threat actors could do the same. The report has summarized the main findings based on each password management solution. Here's what ISE had to say about LastPass and KeePass -- two of the most popular password managers available:

"LastPass obfuscates the master password while users are typing in the entry, and when the password manager enters an unlocked state, database entries are only decrypted into memory when there is user interaction. However, ISE reported that these entries persist in memory after the software enters a locked state. It was also possible for the researchers to extract the master password and interacted-with password entries due to a memory leak."

"KeePass scrubs the master password from memory and is not recoverable. However, errors in workflows permitted the researchers from extracting credential entries which have been interacted with. In the case of Windows APIs, sometimes, various memory buffers which contain decrypted entries may not be scrubbed correctly."

'severe'

[Njovich]

So security researchers are scraping the bottom of the barrel to such an extent that having access to program data when you have total control over a computers memory is a severe vulnerability now?

Re:'severe'

[OffTheLip]

Users of this "vulnerability" are most likely state actors/law enforcement agencies, and 3 letter organizations. They have your computer, they need your password protected data.

Re:'severe'

[AmiMoJo]

Keepass is basically as good as it can ever possibly be. The "vulnerability" they found relates to the fact that when it displays entries on screen Windows will make copies of some of the data to create the GUI, and there is no effective way to scrub that.

Which is basically irrelevant because 99% of the time the user is going to use that information on the same machine anyway, i.e. they will copy/paste it into a browser or encryption app. So the attacker needs to have control of the machine in order to read process memory, and even if somehow Keepass blocked them they could likely just recover it from keystrokes, the clipboard or the app it's being used it.

The main risk is that the app crashes and the secret data can be recovered from the crash dump, but Keepass prevents that happening. Unfortunately they don't seem to have tested that attack.

Re:'severe'

[msauve]

Whoosh.

If a bad actor has control over a computer, they can simply use a keylogger. Way easier, and way less data to weed through.

WARNING! SECURITY ALERT! If someone has control of your computer, they have control of your computer.

Re:'severe'

[scdeimos]

Is it bottom of the barrel? I think it's healthy to stop and think about how password managers get used. If it makes you reconsider keeping your password manager open and unlocked all day every day, as opposed to only when you need it, this is a benefit. I'd never considered the implications of the Show/Hide Asterisks feature in KeePass, for example.

It's also important to remember: an attacker might have access to the memory of your computer, in which case you've lost the battle for your computer, but if they can also score all your usernames and passwords as well, that really does give them the keys to the kingdom.

Re:'severe'

[Cmdln+Daco]

Translation: None of us should fret about this hyped up topic. Unless we are actors on the level where a government agency is going to come after us.

And no, few if any people on Slashdot meet that criterion. No matter how much we herp and derp about it.

Re:'severe'

Is it bottom of the barrel? I think it's healthy to stop and think about how password managers get used. ...
but if they can also score all your usernames and passwords as well, that really does give them the keys to the kingdom.

I'd say yes, at least with their keepass results, this is bottom of the barrel.

They say this is a vulnerability in keepass, yet the only place in ram they found plaintext keys was from the windows API.
That sounds to me like a windows problem and not a keepass problem.

All passwords are going to be used to authenticate to something. If you can only get at the plaintext key after it is handed off to that something, it does seem like a huge stretch to blame the password manager for it.

Or put another way, if you remove keepass 100% from the equation, these researchers could use the exact same exploit they did to get the password you typed into a windows dialog box right from the windows API that created that dialog.

If their exploit works when typing in a password you memorized in exactly the same way it works when getting the password from keepass, as the case seems to be, it simply can't be a keepass vulnerability.

Clearly the exploit being in Windows makes it a lot worse than if it was just in the client/program you are authenticating with. Windows API will be involved with all of the passwords you use, while the client software only for what it does.

IE if you can intercept a password sent to chrome/firefox, you can get all web passwords, but your SSH client may be secure. With the problem being the windows api, both of those are equally vulnerable.

But all of those cases are long after keepass did its job, so I don't see how this is the fault of keepass like they claim.

Also entering the password by hand into a dialog will cause it to be kept in the windows API ram just the same, and I don't see why this is a keepass fault like they claim, especially for all the situations where people don't use/have/know-of keepass and have never once used it!
Yet it is the same exploit.

Grandma runs a program and types "12345" - never once heard of keepass, just types it - and according to these researchers the very fact they can find "12345" in ram left behind by a windows dialog box is somehow the fault of keepass. Again, the fault of a program not used or involved in that example!

That's why this is bottom of the barrel.

Note I'm not saying such verification and testing shouldn't be done. It absolutely should be, over and over, by as many people as possible. We don't want to miss anything.
I just feel the results should be labeled as what they are.

Re:'severe'

[Njovich]

If you suspect the CIA/NSA is really after you I wouldn't recommend you to use Lastpass, or Windows. In fact your options are pretty limited and I would highly recommend to not get into that situation in the first place.

Re:'severe'

[sexconker]

KeePass also has a feature that obfuscates autotyping. TCATO I believe, for two-channel auto type obfuscation.
It just doesn't type your password, it types characters, moves the cursor around, types others, pastes certain bits, etc.

It'll fool the common sniffer software, but anyone with a full dump (including what was copied and pasted pasted - most software keyloggers don't do that, and in-line hardware keyloggers can't do that) can of course replay it to get the password.

Re:2 Factor vaults

[grep+-v+'.*'+*]

Are there any decent USB stick based password vaults? Even better would be an unlock pin (or fingerprint) to be entered on the USB stick itself.

Great! Then all I'd need is your USB password stick and your finger. The rest of you and your computer can stay behind. I'd rather have the XKCD wrench, thank you.

Not sure

[Artem+S.+Tashkinov]

If I understand these two "vulnerabilities" properly, they require a piece of software installed/running locally which will steal/grab these passwords from RAM. However no normal/legitimate software will ever steal your passwords or access the RAM regions of other applications, which means this software is in essence malware which means you're already completely fucked and this software may just steal your master passwords, retreive all files, etc. etc. etc.

Re:Not sure

[Zocalo]

There are varying degrees of "completely fucked", but yes, if you are being successfully attacked using this method then you are already in a pretty bad place, although it's possible that a lucky attacker might obtain enough info to pivot the attack onto an entirely separate system you happen to have a password for. Going from one PC being compromised to your entire network being compromised is definitely a step up in the level of "completely fucked".

Of course, if the malware has already been able to intercept the master password to your password DB, then they'll likely have sent the DB file and the password back to a C&C server anyway, so it's very much game over at that point.

Re:Not sure

[Sique]

It's not unlikely. Actually, it's quite often used.

Imagine an IT shop working remotely on diverse customer sites. There are dozens of technicians, and literally hundreds of passwords. One way to manage the password hell would be to assign a password safe to each customer, installed at the customer site on the server you use as central remote access. So your technician tasked with a job there would look up the password safe master key for that customer, and then remotely access the server there, to find the passwords necessary to access all the other systems your IT shop manages.

Re:Use The Best Password

[kbg]

That's amazing! I've got the same combination on my luggage!

Re:2 Factor vaults

[plazman30]

I was thinking the same thing. You have hardware level access to a PC to the point where you can read RAM in order to get someone's master password from their password manager? Why would you bother? Just install a keylogger instead and you can have all sorts of fun.

Re:Other ways to display data

[drakaan]

Well, yes, but since you're most likely going to be doing a copy/paste out of the field with the password in it, that vulnerability is going to be eclipsed by the vulnerability of being able to grab what's in the clipboard. KeePass already doesn't show you the password by default when you open an entry. You have to click the little "show password" button. They could have easily made the password display as a bitmap image instead of text, but I'm assuming they didn't for the same reason I just mentioned. I mean, you can make it not ever display text, but instead read the password aloud, but each of the mitigations mentioned are just going to make people not use that password manager because it becomes inconvenient. Ultimately, if you don't just have all of your passwords memorized, you are vulnerable to some sort of attack that doesn't involve the wrench technique.

Still using pwsafe

[godrik]

Bruce Schneier, thank you for the fish!

Re:2 Factor vaults

[Anubis+IV]

To be fair, there may be forensic value in what they’re doing, such as if the PC has been confiscated as evidence and the user won’t be returning to unlock it anytime soon. Being able to unlock the vault without the need for a keylogger could be a major victory in that situation.