KeePass Update: Reduce security risk due to CVE 2023-32784 and delete memory dumps

KeePass Update: Reduce security risk due to CVE 2023-32784 and delete memory dumps

The latest KeePass update to version 2.54 has been released. This finally closes the vulnerability CVE 2023-32784, which could be used to read the master password from memory image files. An update alone is not enough to protect against this vulnerability, because there is still a significant risk .

Note: This is a translation – you are free to contribute corrections over the comments

This is mainly due to Windows and the files for hibernation and quick start as well as the files for the swap file, the minidumps and the memory image files for bluescreens. A memory image with the master password could still remain in all these files. Even deleting these files does not provide immediate protection, because the images could still remain available in free space.

Therefore, only one thing remains: all affected files must be deleted and the free space must be overwritten. Of course, this involves some effort, but with my instructions below, anyone should be able to do this.

Instructions: Prevent recovery of KeePass master password after update

Start cmd as administrator

Enter the command

powercfg -H off

to disable hibernation and quick start.

Disable hibernation under

Control Panel->System->Advanced System Settings->Startup and Restore->Settings

disable saving debug information – option: None

Disable under

Control Panel->System->Advanced System Settings->Performance->Settings->Advanced->Virtual Memory->Change

the swap file by selecting “No swap file” and “Set”.

Restart the computer with “restart”.

After restarting, check again if the swap file was actually completely disabled.

Start cmd as administrator

Execute the commands:

del %SystemRoot%MEMORY.DMP
del C:hiberfil.sys
del C:pagefile.sys

It should now be possible to delete the memory dump without an error message:

while the other two files are acknowledged with “could not be found”:

The other two files could not be found because we had disabled them before (see above). If another error message appears here you have not deactivated the files and restarted the PC – without a restart these files will not be deleted.

Now we open the path

C:Windows\Minidump

and delete all files in this folder.

Empty the recycle bin on the desktop.

Run a disk cleanup under

This PC”->Right click on C->Properties->Cleanup

run. Select all available options.

After that, repeat the process and click on “Clean up system files” differently. Select everything here as well.

I remind again: Empty the recycle bin on the desktop as well.

Start cmd again as administrator

Overwrite all the free space with the following command:

cipher /w:C:

Wait until the process is complete (this may take several hours depending on the disk).

For best results, it is recommended not to use any other programs.

After that, activate Quick Start and Hibernate again with the command:

powercfg -H on

Re-enable the swap file (see above) if you don’t currently have more than enough memory. If you don’t re-enable the swap file, you might run into problems if you don’t have enough RAM.

To do this, select under

Control Panel->System->Advanced System Settings->Performance->Settings->Advanced->Virtual Memory->Change

“Automatically manage file size for all drives”.

After that, you can restart the computer.

What is recommended to further secure KeePass and Windows?

In addition to a master password, use a keyfile

This is a file that sort of extends the password. The keyfile can provide additional protection, e.g. if the password is stolen by a keylogger.

Increase the iterations in KeePass

You can adjust the iterations in the database settings of KeePass (File->Database Settings->Security). As a guideline, I recommend a number of iterations that take about 10 seconds to complete. This will make brute force attacks (attacks where a large number of different passwords are tested) on your database file much more difficult.

Enable memory integrity

Enable “Memory Integrity” in Windows under Windows Security->Device Security->Core Isolation.

Leave a Reply

Your email address will not be published. Required fields are marked *