The Dutch Cyber Security Center has issued a warning against the use of password manager KeePass. Attackers with access to a PC can execute passwords in plaintext. The developer does not want to close the vulnerability.
The threat level of the attack is not that high as it requires access to the PC where the database resides. Therefore, according to the CVE notice , the developer says no fix is needed. KeePass is not intended to be secure against attackers who have already penetrated the victim’s PC.
The attack can be countered by changing the configuration so that the master password is required for an export of the stored database of passwords. That prevents the export trigger from the attack from working. The NCSC warns organizations to review KeePass configuration to ensure it is enabled. “In addition, organizations are advised to make a risk assessment before using KeePass.”
