CVE-2023-24055 Detection: Notorious Vulnerability in KeePass Potentially Exposing Cleartext Passwords

Stay alert! Security researchers have discovered a notorious vulnerability posing a serious threat to users of a popular password manager KeePass. A security flaw, tracked as CVE-2023-24055, might affect KeePass version 2.5x, potentially allowing attackers to obtain stored passwords in cleartext. 

CVE-2023-24055 Detection

With proof-of-concept (PoC) exploit available, and in view that KeePass is one of the most popular password managers globally, existing security glitch is a juicy target for attackers. To proactively detect malicious activity associated with CVE-2023-24055 exploitation, SOC Prime’s Detection as Code Platforms offers a batch of dedicated Sigma rules.

Possible KeePass [CVE-2023-24055] Exploitation Patterns (via cmdline)

Possible KeePass [CVE-2023-24055] Exploitation Patterns (via powershell)

Both rules above detect exploitation patterns related to the KeePass vulnerability in the spotlight and are based on the CVE-2023-24055 PoC exploit code. This code might be modified by adversaries to avoid detection and proceed with the attack while flying under the radar. 

The detections are compatible with 22 SIEM, EDR, and XDR platforms and are aligned with the MITRE ATT&CK® framework v12, addressing the Initial Credential Access and Exfiltration tactics with Credentials from Password Stores (T1555) and Exfiltration Over Web Service (T1567) as the corresponding techniques. 

Also, to detect the malicious activity associated with potential CVE-2023-24055 exploitation, SOC Prime Team highly recommends applying the detection rules listed below: 

The Possibility of Execution Through Hidden PowerShell Command Lines (via cmdline)

Suspicious Powershell Strings (via powershell)

Call Suspicious .NET Classes/Methods from Powershell CommandLine (via process_creation)

Call Suspicious .NET Methods from Powershell (via powershell)

Press the Explore Detections button to instantly access all dedicated Sigma rules for CVE-2023-24055, accompanied by corresponding CTI links, ATT&CK references, and threat hunting ideas.

Explore Detections

CVE-2023-24055 Analysis

KeePass is an extremely popular free open source tool claimed to be one of the most powerful and secure managers to date. However, a novel vulnerability recently revealed to affect KeePass might expose millions of users to the risk of compromise. 

As explained in the research by Alex Hernandez and detailed in a dedicated SourceForge thread, the vulnerability in question might allow an attacker with write access to the XML configuration file to obtain the cleartext passwords by adding an export trigger. The PoC exploit for CVE-2023-24055, a scanner for it, and a list of trigger examples were publicly posted on Alex Hernandez’s GitHub.

Notably, the vendor states that the password database is not intended to be secure against an attacker who has that level of access to a local PC. Moreover, the list of affected KeePass versions is still disputed. For now, KeePass v2.5x is considered to be affected. Users are urged to upgrade to the latest 2.53 version to prevent potential compromises.

Boost your threat detection capabilities and accelerate threat hunting velocity equipped with  Sigma, MITRE ATT&CK, and Detection as Code to always have curated detection algorithms against any adversary TTP or any exploitable vulnerability at hand. Obtain 800 rules for existing CVEs to proactively defend against threats that matter most. Instantly reach 140+ Sigma rules for free or get all relevant detection algorithms with On Demand at https://my.socprime.com/pricing/.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts