this post was submitted on 20 Jun 2023
16 points (100.0% liked)

Free and Open Source Software

18129 readers
141 users here now

If it's free and open source and it's also software, it can be discussed here. Subcommunity of Technology.

This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
[email protected]
[email protected]
16
BSI warnt vor KeePassXC-Schwachstellen / BSI warns of vulnerabilities in the password manager KeePassXC (www.heise.de)
submitted 2 years ago by [email protected] to c/[email protected]
21 comments fedilink hide all child comments
 

[email protected] - BSI warnt vor KeePassXC-Schwachstellen

Das BSI warnt vor Schwachstellen im Passwort-Manager KeePassXC. Angreifer können Dateien oder das Master-Passwort ohne Authentifzierungsrückfrage manipulieren.

[The BSI warns of vulnerabilities in the password manager KeePassXC. Attackers can manipulate files or the master password without authentication confirmation.]

top 21 comments
sorted by: hot top controversial new old
[–] [email protected] 6 points 2 years ago (1 children)

Lock the pc, if you leave and lock the db, if pc is locked, lid is closed and this is absolute a non-issue.

German BSI is sometimes a little bit over motivated ;-)

[–] [email protected] 1 points 2 years ago

You don't even need to lock the pc, locking the db is sufficient. The issue allows changing the settings on unlocked databases without needing to re-confirm (at least according to the article).

[–] [email protected] 5 points 2 years ago* (last edited 2 years ago) (2 children)

KeePassXC is not affected by this vulnerability.

[–] [email protected] 4 points 2 years ago* (last edited 2 years ago)

CVE-2023-32784

That's not the same issue mentioned in the article. Which is CVE-2023-35866.

[–] [email protected] 1 points 2 years ago (1 children)

This is also the vulnerability that made many people delete Keepass 2 for XC many months ago so it is very strange that they make an article that sounds like it's a new vulnerability.

[–] [email protected] 2 points 2 years ago* (last edited 2 years ago)

Wrong vulnerability. The discovered one is CVE-2023-35866, which is still pending verification* (analysis).

This affects KeePassXC. https://nvd.nist.gov/vuln/detail/CVE-2023-35866

[–] [email protected] 5 points 2 years ago (2 children)

Can't read German. What is it required to perform this attack?

[–] [email protected] 3 points 2 years ago (1 children)

Ok I checked it up (CVE-2023-35866). It basically says an attacker may export everything if they have access to your unlocked database. Which seems... obvious? The project contributors says it's not a vulnerability which I incline to agree.

[–] [email protected] 4 points 2 years ago

You mean to say that if I leave my door unlocked, somebody might come in? This is shocking news!

[–] [email protected] 4 points 2 years ago

Here is KeePassXC's response: https://keepassxc.org/blog/2023-06-20-cve-202335866

Basically some random guy with weird misconceptions about security decided this was an issue, it's obviously not. Honestly concerning that he was able to easily get a CVE for this and even get articles about it published on some websites.

[–] [email protected] 1 points 2 years ago (3 children)

Why is there no link to the article?

[–] [email protected] 3 points 2 years ago

On Jerboa(List View) the link is on the thumbail, maybe it's the same in the browser version. Keep in mind that the article on heise is in german.

[–] [email protected] 3 points 2 years ago

There is of you click on the image.