CVE-2023-24055
published 2023-01-22CVE-2023-24055: KeePass through 2.53 (in a default installation) allows an attacker, who has write access to the XML configuration file, to obtain the cleartext passwords by…
PriorityP278medium5.5CVSS 3.1
AVLACLPRNUIRSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.66%
88.2th percentile
KeePass through 2.53 (in a default installation) allows an attacker, who has write access to the XML configuration file, to obtain the cleartext passwords by adding an export trigger. NOTE: the vendor's position is that the password database is not intended to be secure against an attacker who has that level of access to the local PC.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| keepass | keepass | <= 2.53 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →ViperSoftX blocks web browser user-agents from accessing its C&C; defenders can detect C2 traffic by looking for non-browser user-agent strings reaching these domains, as the C&C returns encoded data only to modified user-agents. ↗
- →CVE-2023-24055 exploitation involves adding an export trigger to the KeePass XML configuration file to dump cleartext passwords; monitor for unexpected modifications to KeePass XML config files, especially addition of trigger/export entries. ↗
- →ViperSoftX scans for KeePass 2 and 1Password installations as part of its password-manager targeting; detect PowerShell scripts enumerating paths associated with these password managers. ↗
- ·The vendor (KeePass) disputes the severity of CVE-2023-24055, stating the threat model does not cover attackers with local write access to the PC; the export trigger attack requires pre-existing write access to the KeePass XML configuration file. ↗
- ·Trend Micro's investigation found that while ViperSoftX scans for KeePass, observed detections related to CVE-2023-24055 exploitation were low in number and did not appear linked to ViperSoftX victims specifically. ↗
- ·The CVE-2023-24055 export trigger feature has been disabled in recent KeePass patches and versions; detections targeting unpatched KeePass 2 installations (through 2.53) are the relevant scope. ↗
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
vulncheck5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xf2q-qxhf-rqh5: ** DISPUTED ** KeePass through 2
ghsa_unreviewed·2023-01-22
CVE-2023-24055 [MEDIUM] CWE-312 GHSA-xf2q-qxhf-rqh5: ** DISPUTED ** KeePass through 2
** DISPUTED ** KeePass through 2.53 (in a default installation) allows an attacker, who has write access to the XML configuration file, to obtain the cleartext passwords by adding an export trigger. NOTE: the vendor's position is that the password database is not intended to be secure against an attacker who has that level of access to the local PC.
VulnCheck
keepass keepass Cleartext Storage of Sensitive Information
vulncheck·2023·CVSS 5.5
CVE-2023-24055 [MEDIUM] keepass keepass Cleartext Storage of Sensitive Information
keepass keepass Cleartext Storage of Sensitive Information
KeePass through 2.53 (in a default installation) allows an attacker, who has write access to the XML configuration file, to obtain the cleartext passwords by adding an export trigger. NOTE: the vendor's position is that the password database is not intended to be secure against an attacker who has that level of access to the local PC.
Affected: keepass keepass
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html
Exploit PoC: https://vulncheck.com/xdb/e75f270a4931; https://vulncheck.com/xdb/66e9c946ab50; https
No detection rules found.
No public exploits indexed.
Trendmicro
ViperSoftX Updates Encryption, Steals Data
blogs_trendmicro·2023-04-24
ViperSoftX Updates Encryption, Steals Data
Malware
# ViperSoftX Updates Encryption, Steals Data
We observed cryptocurrency and information stealer ViperSoftX evading initial loader detection and making its lure more believable by making the initial package loader via cracks, keygens, activators, and packers non-malicious. We also noted more sophisticated encryption and basic anti-analysis techniques, such as byte remapping and web browser communication blocking.
By: Don Ovid Ladores
2023/04/24
Read time: ( words)
Save to Folio
ViperSoftX, a type of information-stealing software, has been primarily reported as focusing on cryptocurrencies, making headlines in 2022 for its execution technique of hiding malicious code inside log files. Since it was first documented in November, we observed this malware campaign differentiating i
Trendmicro
ViperSoftX Updates Encryption, Steals Data
blogs_trendmicro·2023-04-24
ViperSoftX Updates Encryption, Steals Data
Malware
## ViperSoftX Updates Encryption, Steals Data
We observed cryptocurrency and information stealer ViperSoftX evading initial loader detection and making its lure more believable by making the initial package loader via cracks, keygens, activators, and packers non-malicious. We also noted more sophisticated encryption and basic anti-analysis techniques, such as byte remapping and web browser communication blocking.
By: Don Ovid Ladores 2023/04/24 Read time: ( words)
Save to Folio
ViperSoftX , a type of information-stealing software, has been primarily reported as focusing on cryptocurrencies, making headlines in 2022 for its execution technique of hiding malicious code inside log files. Since it was first documented in November, we observed this malware campaign differentiating
Trendmicro
ViperSoftX Updates Encryption, Steals Data
blogs_trendmicro·2023-04-24
ViperSoftX Updates Encryption, Steals Data
Malware
## ViperSoftX Updates Encryption, Steals Data
We observed cryptocurrency and information stealer ViperSoftX evading initial loader detection and making its lure more believable by making the initial package loader via cracks, keygens, activators, and packers non-malicious. We also noted more sophisticated encryption and basic anti-analysis techniques, such as byte remapping and web browser communication blocking.
By: Don Ovid Ladores Apr 24, 2023 Read time: ( words)
Save to Folio
ViperSoftX , a type of information-stealing software, has been primarily reported as focusing on cryptocurrencies, making headlines in 2022 for its execution technique of hiding malicious code inside log files. Since it was first documented in November, we observed this malware campaign differentiatin
https://securityboulevard.com/2023/01/keepass-password-manager-leak-cve-richixbw/https://sourceforge.net/p/keepass/discussion/329220/thread/a146e5cf6b/https://sourceforge.net/p/keepass/feature-requests/2773/https://securityboulevard.com/2023/01/keepass-password-manager-leak-cve-richixbw/https://sourceforge.net/p/keepass/discussion/329220/thread/a146e5cf6b/https://sourceforge.net/p/keepass/feature-requests/2773/
2023-01-22
Published
Exploited in the wild