Pleasant Password Server Products Protect the Master Password against CVE-2023-32784
Regarding: CVE-2023-32784
Summary:
Pleasant Password Server does safeguard the master password with the KeePass for Pleasant login, so that this particular area is not affected by this security concern.
The concern can be fully mitigated with the Pleasant Password Server (Stable version), with the Server Options, and our customized KeePass client app. By default, it is already partly mitigated (see below for full details).
This KeePass problem has a demonstrated resolution in the community forums with a release expected in a couple weeks. The scope: is limited or eliminated with Pleasant Password safeguards, would require access to the machine (and thereby also have access to memory/files), and is difficult with low likelihood risk.
MITIGATIONS:
- Option A) Block KeePass access - in 7.11.44 (Stable version)
- Navigate to General Settings > Toggle "Enable application API" setting to OFF - Option B) Wait for KeePass fix version, expected soon.
- Option C) Enable Zero-Knowledge Encryption on entries (v8.x with Ent+SSO). This currently also blocks KeePass access to the entry.
KEEPASS SECURITY:
- KeePass has a excellent security history, and has been shown to be more thorough in its memory handling and scrubbing than the other popular password managers, who in comparison have been shown to have memory security problems.
- EU has had a Bug Bounty program for KeePass, and security-wise the app reputation has been quite stellar.
- KeePass remains a recommendation, e.g. even by national Cyber office(s), etc.
LIMITED SCOPE/IMPACT:
- This attack requires access to the machine (and thereby would have memory / system access anyway and so could do whatever they wanted), and so is a difficult hack to exploit with low likelihood,
- In version 8, Zero-Knowledge encryption Entries are not affected,
- KeePass for Pleasant login passwords are not affected,
- KeePass for Pleasant does not bring all entry passwords into memory,
- KeePass for Pleasant app can be blocked entirely,
- KeePass has demonstrated a solution already, which will be released, making this a temporary problem,
- Recent Pleasant Password Server version will now require KeePass instances to be updated
FIX RELEASE:
- An Update version of the KeePass for Pleasant app is expected once the resolution provided by KeePass is available shortly.
DISCUSSION OF ATTACK VECTORS:
- Like for any application, KeePass is vulnerable if a hacker/malware has open access to the machine, and thereby also they have access to the memory and/or system files. Then theoretically do whatever they wish.
- For this reason, some vendors may choose to restrict access to KeePass / API, and only use the Web application.
SAFE DISCLOSURE - WAS NOT DONE BY THE RESEARCHER:
- Safe disclosure of a vulnerability takes a few minutes of effort, to lookup contacts and reach out. This typically helps mitigate many complications/pain by application users. But this has not been done, and has let down the KeePass community.
- However, a fix has been demonstrated and is imminent. And so this vulnerability is expected to be temporary / short-lived with an updated version.
Update Pleasant Password Software
Recent releases of Password Server include other important Pleasant Password Server Security Updates that require updating for other unrelated issues.
Download unrelated security patches (Stable / Latest):
References:
Sophos Security:
CVE Database: