KeePass update check MitM flaw can lead to malicious downloads

Open source password manager KeePass sports a MitM vulnerability that could allow attackers to trick users into downloading malware disguised as a software update, security researcher Florian Bogner warns.

All versions of KeePass, including the latest, are vulnerable. The team developing the software is aware of the flaw (CVE-2016-5119), but they currently have no intention of fixing it.

“KeePass 2’s automatic update check uses HTTP to request the current version information,” Bogner has discovered. “An attacker can modify – through for example ARP spoofing or by providing a malicious Wifi Hotspot – the server response.”

The software would show a dialog box that indicates that there is a new version available for download. But even though the download link points to the official KeePass website (http://keepass.info/), the fact that the traffic to and from it is not encrypted means it could be intercepted and manipulated, and could result in the user downloading malware.

Here is a video demonstration of the attack:

“For any security centric tool – like a password manager – it is essential to not expose its users to any additional risks,” Bogner points out. He believes that switching to HTTPS should not be difficult, but apparently the developers are not of the same mind.

“The vulnerability will not be fixed. The indirect costs of switching to HTTPS (like lost advertisement revenue) make it a inviable solution,” KeePass developer Dominik Reichl responded when Bogner alerted them to the danger.

Users can protect themselves from this type of attack by downloading new versions of the software directly from KeePass’ SourceForge page.

Reichl also pointed out that verifying the KeePass download – no matter from where it’s downloaded – is also important. “The binaries are digitally signed (Authenticode); you can check them using Windows Explorer by going ‘Properties’ -> tab ‘Digital Signatures’,” he noted.