KeePass 2.34 plugs security issue

A recently disclosed man-in-the-middle vulnerability in the popular password manager KeePass has been fixed in KeePass 2.34.

The issue required some preparation on part of the attacker to be exploited successfully. It took advantage of KeePass' update check mechanics which did not verify the information provided by the KeePass server nor use a secure transfer protocol for transmitting them to the user system.

An attacker could manipulate the information to inform users about new updates, and then deliver a manipulated copy of KeePass to the user when downloads are initiated.

Attackers can exploit the issue for targeted attacks only, and users would have to perform update checks from within KeePass and click on the link to download the new version of the program from the website without verifying its signature.

KeePass 2.34

It is recommended to download KeePass 2.34 from the developer website directly to avoid potential issues.

KeePass 2.34 patches the update check issue by sending the version information file over HTTPS, digitally signing in, and setting up the password manager so that it will only accept version information files that are digitally signed.

This prevents man in the middle attacks targeting the file plugging the security issue in the process.

Side note: All KeePass binaries are signed, and it is easy enough to verify that the digital signature is correct. To verify the signature, open the KeePass directory on your system, right-click on any executable file, select properties from the menu, and switch to "digital signatures" afterwards.

The signature should read "Open Source Developer, Dominik Reichl". If that is the case, the file is legitimate.

Other changes in KeePass 2.34

The new version of the password manager ships with other improvements and even some new features that are worth a closer look.

First, there is a new option to lock the workspace when the main KeePass window is minimized to the tray.

KeePass users know that they can configure the program to auto-lock the database that is loaded in the program on certain events, such as on inactivity, when the computer is locked, or when the remote control mode changes.

The new option is useful only if KeePass is configured to minimize to the system tray instead of the taskbar. You find the preferences under Tools > Options > Security, and Tools > Options > Interface.

The author added two new shortcuts to KeePass that control the program's state. Ctrl-Q works like Alt-F4 in that it closes KeePass when invoked, while ESC may be mapped to minimize the main window to the system tray in the preferences.

The KeePass 2.34 installer and portable versions create a plugins folder automatically now under root that is empty by default. Plugin version information files support signing now, and they are loaded directly from the application directory and any subdirectory of the Plugins folder.

Existing KeePass users may notice startup performance improvements in the latest version thanks to the filtering of plugin candidates.

Last but not least, KeePass 2.34 searches and deletes temporary files created and forgotten by MSHTML after print jobs failed.

Closing Words

KeePass 2.34 plugs the recently disclosed security issue, and introduces some new features to the password manager on top of that.