When KeePassRPC (version 1.13.0 or higher) detects a previously authorised client which uses the same encryption key as the one used during a successful exploit of the first related vulnerability fixed in KeePassRPC 1.12.x, we display a warning message.
In the current version of KeePassRPC, this reads:
Your KeePass instance may have previously been exploited by a malicious attacker.
The passwords contained within any databases that were open before this point may have been exposed so you should change them.
If you see this message and are certain that you and your system administrators have never intentionally tested your KeePass installation for susceptibility to this vulnerability, you should take immediate action.
What you should do if you see this message
-
Close the warning message if it is still open.
-
Close or lock all KeePass databases (but leave KeePass running).
-
Navigate to the “Authorised clients” tab in “KeePassRPC (Kee) Options”, which you will find in your KeePass “Tools” menu.
-
You may see the warning message a second time at this point - you can just dismiss it and continue.
-
Scroll down the list of authorised clients to find clients that are listed in red (this is the only colour ever used in this list other than black). There may be more than one.
-
We recommend that you take a screenshot or otherwise record the details of this authorised client before proceeding. This may be useful for future forensic or criminal investigations.
-
If the client Expiry date is in the past then there has been no way for the client to extract any information from your KeePass database since that date. Make sure you keep a record of this date.
-
Delete the information about this suspicious client by clicking on the “Revoke” button at the end of the red client row.
-
Close and re-open the “KeePassRPC (Kee) Options” dialog to verify that the warning message no longer appears.
-
Change the password for every entry in every database that had been opened in your KeePass installation unless the expiry date of the client authorisation is before you first opened the database or before the last time that you changed an individual entry password. We recommend focussing your efforts first upon identity, security and financial entries such as email accounts, internet routers, computer passwords and banks. If you have many hundreds or thousands of affected passwords, you may wish to research further on this community forum for additional factors that may have prevented the exposure of some of your passwords.
When the message can appear
- We check every authorised client when you open the “KeePassRPC (Kee) Options” dialog.
- We check each authorised client when it attempts to connect to KeePassRPC.
Technical explanation
An exploit of CVE-2020-16271 leads to a predictable encryption key being associated with the connection. Specifically 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 - the sha256 hash of the ASCII character 0.
KeePassRPC 1.13.0 and higher will therefore inspect the value of a client’s encryption key and display this warning if a match is found.
This encryption key value can be used if a client selects a value of 0 for their SRP parameter A. We know of no legitimate clients that can select this value. Therefore, the use of this value indicates either:
- A malicious client having previously exploited CVE-2020-16271
- A non-compliant client sending the value accidentally. Neither Kee nor KeeBird will do this but we do not necessarily know of every KeePassRPC SRP client implementation in the world.
- Someone with access to the localhost websocket port researched or experimented with connecting a malicious or non-compliant client to your KeePass instance.