heisec@social.heise.de - BSI warnt vor KeePassXC-Schwachstellen

Das BSI warnt vor Schwachstellen im Passwort-Manager KeePassXC. Angreifer können Dateien oder das Master-Passwort ohne Authentifzierungsrückfrage manipulieren.

[The BSI warns of vulnerabilities in the password manager KeePassXC. Attackers can manipulate files or the master password without authentication confirmation.]

  • koenada@beehaw.org
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    These really aren’t vulnerabilities. Give the github issue a read. Basically, if they have access to the unencrypted db, then asking for the password again is just window dressing. It doesn’t really provide much, if any security value as they already have the data from the db.

    Keepassxc is not an online manager. It doesn’t really make sense to require a password when making changes as they already have access to everything if they have local access to the machine when the db is unlocked.

    • blackstrat@lemmy.fwgx.uk
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      It’s a denial of service vulnerability. Requiring the existing master password to change the master password will stop a drive by miscreant denying you access to your db. And password change system I’ve ever used has required the existing password to he entered first.

      Likewise a full db export feel like a big enough deal to require authorization.

      If you’re careful and lock your machine when you leave it then you should be pretty safe. I’m surprised these aren’t already features.

      • Eufalconimorph@beehaw.org
        link
        fedilink
        arrow-up
        4
        ·
        1 year ago

        No, requiring the existing master password won’t help. A drive by miscreant with access to an unlocked computer with an unlocked DB can delete all the DB entries. If the DB is locked they can just delete the DB file. KeePassXC can’t defend against this, that takes properly functioning versioned backups.

        • blackstrat@lemmy.fwgx.uk
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          yeah, maybe denial of service isn’t it. I replied to a comment above why I think it should still be protected functionality to help prevent data leak.

        • blackstrat@lemmy.fwgx.uk
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          Yeah, that’s fair. But a full db export that they could then email themselves. It’d be nice to have some more protection against that. Or Change the master password and email the encrypted file to themselves.