Discussion about CVE-2024-33900 and CVE-2024-33901 #10784
Comments
|
Is #10618 somehow related to this? |
|
We zero out all sensitive memory that we allocate directly and we try to zero out all memory that we don't control by overriding the delete operator (see https://github.com/keepassxreboot/keepassxc/blob/develop/src/core/Alloc.cpp#L58). Unfortunately, this doesn't work in all cases and Qt being Qt can leave traces behind. My guess is that these traces come primarily from buffer reallocations. This is a known issue and nothing new. On platforms that support it, we have access restrictions in place to make it much harder to dump memory in the first place. |
|
Thanks for the prompt answer, may I ask which platforms support it? Is this problem only confined to Windows builds or does it also affect Linux? |
|
On Linux, we can only disable Coredumps. On MacOS, we prevent ptrace, and on Windows we prevent memory access via DACLs. The problem itself affects all platforms and probably all password managers in existence, unless they use a special hardened UI kit (I wouldn't know of any). |
CVE-2024-33900 and CVE-2024-33901 have been assigned by Mitre to this highly professional report.
IMO being able to dump plaintext creds from the process memory, when the database is unlocked, is a normal behavior and not a bug. The reporter also mentions:
which indeed sounds weird.
My following reasoning is purely hypothetical due to poor details shared by the reporter and me not having reproduced the bug.
When the database gets locked, I expect there will be some allocated memory being freed. That memory might contain data from when the database was unlocked and should be zeroed before being released. Do you think that non-zeroed freed memory could be the cause?
The text was updated successfully, but these errors were encountered: