CVE CyberSecurity Database News

CVE-2024-33901 - Password Leak in KeePassXC 2.7.7 via Memory Dump Explained

Poster -

If you use KeePassXC to manage your passwords, you might have heard about a security bug called CVE-2024-33901. This vulnerability affects KeePassXC version 2.7.7 and could let someone with access to your computer’s memory read your saved passwords—even if your database is locked. In this post, I’ll break down how this bug works, show you example code, discuss what the KeePassXC team had to say, and suggest ways to protect yourself.

What is CVE-2024-33901?

CVE-2024-33901 is a security vulnerability in KeePassXC 2.7.7. It lets an attacker (who already has your user rights) dump your computer’s memory and recover passwords sitting there in plain text.

Why does this happen? When you open your KeePassXC database and view or copy a password, that password lives somewhere in your computer’s memory (RAM). Unfortunately, KeePassXC doesn’t always erase that password from RAM when you’re done with it. So, a local attacker—or even malware—could take a memory snapshot (“dump”) and fish out your secrets.

You need to be running KeePassXC 2.7.7 (possibly earlier as well)

- The attacker needs enough access to view your computer’s RAM, either physically at your PC or via software with your permissions

How Does the Attack Work?

Suppose you unlock your KeePassXC vault, copy an important password, and then close KeePassXC. Ideally, that password should vanish from RAM. But due to how KeePassXC manages memory, that password may stick around.

A simple proof of concept uses the strings command on Linux to find passwords in a process memory dump.

If you see your password in the results, it means it was still in memory!

Windows Example:
Tools like Process Hacker or procdump can be used to do the same thing.

Below is a basic Python script that searches for a string in a core dump file

# save as search_password.py
import sys

def search_password(corefile, password):
    with open(corefile, 'rb') as f:
        content = f.read()
    if password.encode() in content:
        print("Password FOUND in memory dump!")
    else:
        print("Password NOT found in dump.")

if __name__ == "__main__":
    if len(sys.argv) < 3:
        print("Usage: python search_password.py <corefile> <password>")
    else:
        search_password(sys.argv[1], sys.argv[2])

Run it like

python search_password.py core.1234 YourSecretPassword

Vendor Response

The KeePassXC team acknowledges the risk but says it’s nearly impossible to avoid. Once a password is decrypted and shown to the user, it has to be in RAM for you to see or copy it. Due to limitations in both the operating system and their programming language (C++), fully erasing all traces of passwords is not guaranteed. That means even if the software is designed perfectly, your secrets may still linger in memory.

Official Vendor Statement (GitHub issue discussion):
> "There is no 100% way to remove all traces of sensitive data from memory once it has been decrypted and processed. This is a limitation of all operating systems and application memory management. The only way to protect your secrets from a privileged local attacker is to prevent an attacker from gaining access to your computer in the first place."

They also argue that this kind of vulnerability is present in all password managers, not just KeePassXC.

References

- CVE Record: CVE-2024-33901
- KeePassXC GitHub Issue #12135
- Relevant Linux gcore Documentation
- Process Hacker
- Sysinternals Procdump

Mitigations and Recommendations

1. Limit Physical and Remote Access: The main risk comes from attackers who already control your account or machine. Use strong passwords, lock your screen, and don’t let unknown people use your computer.
2. Clean Clipboard Regularly: Use KeePassXC’s “clear clipboard” feature, which erases the password after a set period.

Restart After Use: Restarting your computer or logging out could help clear RAM.

4. Use Full Disk Encryption: This helps prevent cold boot attacks where someone steals RAM content after you power off.
5. Keep Your System Updated: Always install security updates, both for KeePassXC and your operating system.
6. Report Concerns: If you handle extremely sensitive information, consider using hardware security tokens or password managers that support hardware isolation.

Conclusion

CVE-2024-33901 shows a real but common challenge for password managers: once a password is in memory, you can’t be sure it’s gone until you shut down or restart. As long as someone trustworthy controls your computer, you’re mostly safe—but this is a reminder to take local security seriously. Remember, the best defense is preventing attackers from accessing your device in the first place!

If you want more details or have further questions, check out the official KeePassXC GitHub thread and keep your software up to date. Stay safe!

Timeline

Published on: 05/20/2024 21:15:09 UTC
Last modified on: 08/02/2024 03:15:33 UTC