![]() Thereby an attacker can even indirectly control the downloaded “update”.įor any security centric tool – like a password manager – it is essential to not expose its users to any additional risks. Guess what, we can also intercept that traffic as it again uses HTTP. KEEPASSX 2.0 UPDATEIf the user now clicks within the update dialog to download the new version, the URL is opened to manually download the new release. (Already heard about the new KeePass 9 release?) An attacker can modify – thought for example ARP spoofing or by providing a malicious Wifi Hotspot – the server response to introduce a new version and thereby force the new version dialog to be shown. If a new version is available a dialog is shown to the user. For that purpose it downloads the following text file from It turned out that KeePass 2’s automatic update check uses HTTP to request the current version information. As I had a few hours spare I took a closer look. 18:00: MITRE assigned CVE-2016-5119 I reconfirmed that version 2.33 is still vulnerableĭuring a recent traffic analysis I stumbled upon an interesting request to. The indirect costs of switching to HTTPS (like lost advertisement revenue) make it a inviable solution. 15:45: Received response from Dominik Reichl: The vulnerability will not be fixed. ![]() 11:30: Issue privately reported to Dominik Reichl () ![]() Change Mirror Download MitM Attack against KeePass 2's Update CheckĪuthor: Florian Bogner Kapsch BusinessCom AG ()Īffected versions: all tested version up to the current 2.33Īn attacker can abuse KeePass 2's recommended automatic update check – if enabled – to “release” a new version and redirect the user to a malicious download page. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |