Security KeePass Won't Fix a Security Flaw Because It Will Lose Advertising Revenue

eva2000 · Jun 7, 2016

Wow KeePass users beware KeePass Won't Fix a Security Flaw Because It Will Lose Advertising Revenue !

The developer of the KeePass password manager has intentionally declined to fix a security flaw that allows for MitM (Man-in-the-Middle) attacks on the app's update process.

Back in February, Florian Bogner, a developer for Kapsch BusinessCom, discovered that all KeePass 2.x versions featured an insecure update mechanism that asked the KeePass servers for new releases via an insecure HTTP connection.

Bogner was able to create and launch a MitM attack, replacing the KeePass update with a malicious file (check video below). This attack was possible because KeePass didn't use HTTP, nor did it verify downloaded packages.

KeePass developer initially declines to fix issue
The researcher notified KeePass's project leader, Dominik Reichl, who told Bogner in an email in February that "the vulnerability will not be fixed. The indirect costs of switching to HTTPS (like lost advertisement revenue) make it a inviable solution."

After receiving a CVE identifier from Mitre, CVE-2016-5119, the researcher decided to go public with his research, which soon ended up on all security-focused forums, but not because of the trivial exploit, but more because of Reichl's response, who choose sweet advertising money over the security of his users.
Click to expand...

Xon · Jun 7, 2016

Saw this on Hacker News fairly damn disappointing.

eva2000 · Jun 7, 2016

Indeed.. you use KeePass ? I am using LastPass myself

Xon · Jun 8, 2016

eva2000 said: ↑

Indeed.. you use KeePass ? I am using LastPass myself
Click to expand...

Yeah, I turned off the auto-update ages ago because it was annoying. But glad I did since it was checking over HTTP!

eva2000 · Jun 8, 2016

indeed reading Full Disclosure: MitM Attack against KeePass 2's Update Check they also use an invalid cert for their https version of their site too!

Suggested Solution
===================================================
For any security centric tool – like a password manager – it is essential to not expose its users to any additional
risks.

Hence, I strongly recommend that all requests should be switch to encrypted HTTPS communication – especially version
checks and updates! This should be fairly easy to implement and should not introduce any compatibility issues.
Furthermore a valid certificate should be used for https://keepass.info and all unencrypted HTTP requests should be
redirected to the encrypted version of the site. To provide even more security it is recommended to add the HTTP Strict
Transport Security (HSTS) headers. As an alternative the update check feature could be removed.

Workaround
===================================================
Until the version check has been switched to HTTPS, update notifications should be taken with a grand of salt. To be on
the safe side, new releases should be downloaded only directly from Keepass’s secured Sourceforge page:
KeePass download | SourceForge.net
Click to expand...

eva2000 · Jun 9, 2016

Update at KeePass2 v 2.34 to fix update security problem | Hacker News

original Security Issues - KeePass so version file is downloaded over HTTPS apparently

Automatic Update Vulnerability
There have been some articles about automatic KeePass updates being vulnerable. This section clarifies the situation and its resolution.

First of all, we would like to note that KeePass cannot update itself. KeePass does support checking for updates (optional; by downloading a version information file, comparing the available with the installed version number, and displaying a notification if necessary). However, it neither downloads nor installs any new version automatically. Users have to do this manually.

KeePass can be downloaded from many servers (SourceForge with its many mirror servers, FossHub, etc.). In order to make sure that the downloaded file is official, users should check whether the file is digitally signed (Authenticode; all KeePass binaries are signed, including the installer, KeePass.exe and all other EXE and DLL files). The digital signature can be checked using Windows Explorer by right-clicking the file -> 'Properties' -> tab 'Digital Signatures'. When running the installer, the UAC dialog displays the digital signature information, i.e. users who carefully read the UAC dialog do not have to inspect the file properties separately. This is recommended for all users, independent of where you download KeePass from.

The KeePass website links to SourceForge for downloading KeePass. However, even if SourceForge (or the KeePass website) is compromised and serves a malicious download, users who check the digital signature will notice the attack and will not run the malware. Note that HTTPS cannot prevent a compromise of the download server; checking the digital signature does.

The version information file is downloaded from the KeePass website over HTTP. Thus a man in the middle (someone who can intercept your connection to the KeePass website) could have returned an incorrect version information file, possibly making KeePass display a notification that a new KeePass version is available. However, the next steps (downloading and installing the new version) must be carried out by the user manually, and here users who check the digital signature will notice the attack.

Resolution. In order to prevent a man in the middle from making KeePass display incorrect version information (even though this does not imply a successful attack, see above), the version information file is now digitally signed (using RSA-2048 and SHA-512). KeePass 2.34 and higher only accept such a digitally signed version information file. Furthermore, the version information file is now downloaded over HTTPS.
Click to expand...

but the HTTPS is over an insecure ssl certificate

Code (Text):

curl -I https://keepass.info/update/version2x.txt.gz
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

testssl run against the update file over their HTTPS connection reveals it's over a insecure SHA1 based ssl certificate too served via Apache 2.4.10 ! Which ain't good as Chrome EOL'd SHA1 support starting with Chrome 39-41

Code (Text):

testssl https://keepass.info/update/version2x.txt.gz          

###########################################################
    testssl       2.7dev from https://testssl.sh/dev/
    (1.493 2016/06/06 11:42:15)

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.0.2-chacha (1.0.2i-dev)" [~183 ciphers]
 on b2a5ba280992:/usr/local/http2-15/bin/openssl
 (built: "reproducible build, date unspecified", platform: "linux-x86_64")


 Start 2016-06-08 19:28:54    -->> 46.252.18.237:443 (keepass.info) <<--

 further IP addresses:   2a00:1158:1000:300::1ed
 rDNS (46.252.18.237):   salina.ispgateway.de.
 Service detected:       HTTP


 Testing protocols (via sockets except TLS 1.2, SPDY+HTTP2) 

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered
 TLS 1.1    offered
 TLS 1.2    offered (OK)
 SPDY/NPN   not offered
 HTTP2/ALPN not offered

 Testing ~standard cipher lists 

 Null Ciphers                 not offered (OK)
 Anonymous NULL Ciphers       not offered (OK)
 Anonymous DH Ciphers         not offered (OK)
 40 Bit encryption            not offered (OK)
 56 Bit encryption            not offered (OK)
 Export Ciphers (general)     not offered (OK)
 Low (<=64 Bit)               not offered (OK)
 DES Ciphers                  not offered (OK)
 Medium grade encryption      not offered (OK)
 Triple DES Ciphers           offered
 High grade encryption        offered (OK)


 Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption as well as 3DES and RC4 here 

 PFS is offered (OK)  ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA ECDHE-RSA-AES128-SHA 


 Testing server preferences 

 Has server cipher order?     yes (OK)
 Negotiated protocol          TLSv1.2
 Negotiated cipher            ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH
 Cipher order
     TLSv1:     ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA AES128-SHA AES256-SHA DES-CBC3-SHA DHE-RSA-CAMELLIA256-SHA CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA CAMELLIA128-SHA ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA 
     TLSv1.1:   ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA AES128-SHA AES256-SHA DES-CBC3-SHA DHE-RSA-CAMELLIA256-SHA CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA CAMELLIA128-SHA ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA 
     TLSv1.2:   ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES128-SHA AES256-SHA256 AES256-SHA DES-CBC3-SHA DHE-RSA-CAMELLIA256-SHA CAMELLIA256-SHA DHE-RSA-CAMELLIA128-SHA CAMELLIA128-SHA ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA 


 Testing server defaults (Server Hello) 

 TLS extensions (standard)    "renegotiation info/#65281" "EC point formats/#11" "session ticket/#35" "heartbeat/#15"
 Session Tickets RFC 5077     300 seconds (PFS requires session ticket keys to be rotated <= daily)
 SSL Session ID support       yes
 TLS clock skew               random values, no fingerprinting possible 
 Signature Algorithm          SHA1 with RSA
 Server key size              RSA 2048 bits
 Fingerprint / Serial         SHA1 D6DB83318B39A30BFCD1FF73DDABE98F90F0A7C8 / D7F0719CED679974
                              SHA256 F0204D222C23A38BF69338634D3AA80C1ED7F6365374BCB5067148CC9433C327
 Common Name (CN)             "webserver.ispgateway.de" (works w/o SNI)
 subjectAltName (SAN)         -- 
 Issuer                       "webserver.ispgateway.de" ("ispgateway" from "DE")
 EV cert (experimental)       no 
 Certificate Expiration       1582 >= 60 days (2010-10-11 14:28 --> 2020-10-08 14:28 +0000)
 # of certificates provided   1
 Chain of trust (experim.)    "/usr/bin/etc/*.pem" cannot be found / not readable
 Certificate Revocation List  --
 OCSP URI                     --
 OCSP stapling                --


 Testing HTTP header response @ "/update/version2x.txt.gz" 

 HTTP Status Code             200 OK
 HTTP clock skew              0 sec from localtime
 IPv4 address in header        Strict Transport Security    --
 Public Key Pinning           --
 Server banner                Apache/2.4.10
 Application banner           --
 Cookie(s)                    (none issued at "/update/version2x.txt.gz")
 Security headers             --
 Reverse Proxy banner         --


 Testing vulnerabilities 

 Heartbleed (CVE-2014-0160)                not vulnerable (OK) (timed out)
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Secure Renegotiation (CVE-2009-3555)      not vulnerable (OK)
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
 BREACH (CVE-2013-3587)                    potentially NOT ok, uses gzip HTTP compression. - only supplied "/update/version2x.txt.gz" tested
                                           Can be ignored for static pages or if no secrets in the page
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
 TLS_FALLBACK_SCSV (RFC 7507), experim.    Downgrade attack prevention supported (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (2016-0800, CVE-2016-0703), exper.  not vulnerable on this port (OK)
                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services
                                           https://censys.io/ipv4?q=F0204D222C23A38BF69338634D3AA80C1ED7F6365374BCB5067148CC9433C327 could help you to find out
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK), common primes not checked. See below for any DH ciphers + bit size
 BEAST (CVE-2011-3389)                     TLS1: DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA
                                                 AES128-SHA DHE-RSA-AES128-SHA AES256-SHA
                                                 DHE-RSA-AES256-SHA CAMELLIA128-SHA DHE-RSA-CAMELLIA128-SHA
                                                 CAMELLIA256-SHA DHE-RSA-CAMELLIA256-SHA ECDHE-RSA-DES-CBC3-SHA
                                                 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA
                                           VULNERABLE -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)


 Testing all 183 locally available ciphers against the server, ordered by encryption strength 

Hexcode  Cipher Suite Name (OpenSSL)    KeyExch.   Encryption Bits
-------------------------------------------------------------------------
 xc030   ECDHE-RSA-AES256-GCM-SHA384    ECDH 256   AESGCM     256          
 xc028   ECDHE-RSA-AES256-SHA384        ECDH 256   AES        256          
 xc014   ECDHE-RSA-AES256-SHA           ECDH 256   AES        256          
 x9f     DHE-RSA-AES256-GCM-SHA384      DH 2048    AESGCM     256          
 x6b     DHE-RSA-AES256-SHA256          DH 2048    AES        256          
 x39     DHE-RSA-AES256-SHA             DH 2048    AES        256          
 x88     DHE-RSA-CAMELLIA256-SHA        DH 2048    Camellia   256          
 x9d     AES256-GCM-SHA384              RSA        AESGCM     256          
 x3d     AES256-SHA256                  RSA        AES        256          
 x35     AES256-SHA                     RSA        AES        256          
 x84     CAMELLIA256-SHA                RSA        Camellia   256          
 xc02f   ECDHE-RSA-AES128-GCM-SHA256    ECDH 256   AESGCM     128          
 xc027   ECDHE-RSA-AES128-SHA256        ECDH 256   AES        128          
 xc013   ECDHE-RSA-AES128-SHA           ECDH 256   AES        128          
 x9e     DHE-RSA-AES128-GCM-SHA256      DH 2048    AESGCM     128          
 x67     DHE-RSA-AES128-SHA256          DH 2048    AES        128          
 x33     DHE-RSA-AES128-SHA             DH 2048    AES        128          
 x45     DHE-RSA-CAMELLIA128-SHA        DH 2048    Camellia   128          
 x9c     AES128-GCM-SHA256              RSA        AESGCM     128          
 x3c     AES128-SHA256                  RSA        AES        128          
 x2f     AES128-SHA                     RSA        AES        128          
 x41     CAMELLIA128-SHA                RSA        Camellia   128          
 xc012   ECDHE-RSA-DES-CBC3-SHA         ECDH 256   3DES       168          
 x16     EDH-RSA-DES-CBC3-SHA           DH 2048    3DES       168          
 x0a     DES-CBC3-SHA                   RSA        3DES       168          


 Running browser simulations (experimental) 

 Android 2.3.7                 TLSv1 DHE-RSA-AES128-SHA
 Android 4.0.4                 TLSv1 ECDHE-RSA-AES128-SHA
 Android 4.1.1                 TLSv1 ECDHE-RSA-AES128-SHA
 Android 4.2.2                 TLSv1 ECDHE-RSA-AES128-SHA
 Android 4.3                   TLSv1.0 ECDHE-RSA-AES128-SHA
 Android 4.4.2                 TLSv1.1 ECDHE-RSA-AES128-SHA
 Android 5.0.0                 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Baidu Jan 2015                TLSv1 ECDHE-RSA-AES128-SHA
 BingPreview Jan 2015          TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Chrome 47 / OSX               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Firefox 31.3.0ESR / Win7      TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Firefox 42 / OSX              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 GoogleBot Feb 2015            TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 IE6 / XP                      No connection
 IE7 / Vista                   TLSv1.0 ECDHE-RSA-AES128-SHA
 IE8 / XP                      TLSv1.0 DES-CBC3-SHA
 IE8-10 / Win7                 TLSv1.0 ECDHE-RSA-AES128-SHA
 IE11 / Win7                   TLSv1.2 DHE-RSA-AES128-GCM-SHA256
 IE11 / Win8.1                 TLSv1.2 DHE-RSA-AES128-GCM-SHA256
 IE10 / Win Phone 8.0          TLSv1.0 ECDHE-RSA-AES128-SHA
 IE11 / Win Phone 8.1          TLSv1.2 ECDHE-RSA-AES128-SHA256
 IE11 / Win Phone 8.1 Update   TLSv1.2 DHE-RSA-AES128-GCM-SHA256
 IE11 / Win10                  TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Edge 13 / Win10               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Edge 12 / Win Phone 10        TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Java 6u45                     TLSv1 DHE-RSA-AES128-SHA
 Java 7u25                     TLSv1 ECDHE-RSA-AES128-SHA
 Java 8u31                     TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 OpenSSL 0.9.8y                TLSv1 DHE-RSA-AES128-SHA
 OpenSSL 1.0.1l                TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 OpenSSL 1.0.2e                TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Safari 5.1.9/ OSX 10.6.8      TLSv1 ECDHE-RSA-AES128-SHA
 Safari 6 / iOS 6.0.1          TLSv1.2 ECDHE-RSA-AES128-SHA256
 Safari 6.0.4/ OS X 10.8.4     TLSv1 ECDHE-RSA-AES128-SHA
 Safari 7 / iOS 7.1            TLSv1.2 ECDHE-RSA-AES128-SHA256
 Safari 7 / OS X 10.9          TLSv1.2 ECDHE-RSA-AES128-SHA256
 Safari 8 / iOS 8.4            TLSv1.2 ECDHE-RSA-AES128-SHA256
 Safari 8 / OS X 10.10         TLSv1.2 ECDHE-RSA-AES128-SHA256
 Safari 9 / iOS 9              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
 Safari 9 / OS X 10.11         TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256

 Done 2016-06-08 19:31:24    -->> 46.252.18.237:443 (keepass.info) <<--

Xon · Jun 9, 2016

Honestly, as long as the SSL cert is pinned by the application and the application verifies the download hash it isn't too bad. But still not good.

But at least fixing the server end is something which can be done without replacing all the clients.

eva2000 · Jun 10, 2016

Xon said: ↑

Honestly, as long as the SSL cert is pinned by the application and the application verifies the download hash it isn't too bad. But still not good.

But at least fixing the server end is something which can be done without replacing all the clients.
Click to expand...

indeed.. this has me thinking about centmin mod too.. switched all my download links within script to HTTPS version of centminmod.com site at least

Log in / Register

Forums

Get the most out of your Centmin Mod LEMP stack

Security KeePass Won't Fix a Security Flaw Because It Will Lose Advertising Revenue

eva2000 Administrator Staff Member

Xon Active Member

eva2000 Administrator Staff Member

Xon Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Xon Active Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Get the most out of your Centmin Mod LEMP stack

Security KeePass Won't Fix a Security Flaw Because It Will Lose Advertising Revenue

eva2000 Administrator Staff Member

Xon Active Member

eva2000 Administrator Staff Member

Xon Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Xon Active Member

eva2000 Administrator Staff Member

.