Password Manager: BSI Reports Critical Vulnerabilities in Vaultwarden

Together with the Munich-based company MGM Security Partners, the German Federal Office for Information Security (BSI) tested two password managers for possible flaws as part of the password analysis project. ‘open source software (Caos 3.0). Testers were particularly impressed with Vaultwarden. Experts have identified two security vulnerabilities in the password storage solution and rated them as “high”. The investigations, which took place between February and May, concerned version 1.30.3. With version 1.32.0 from August 11, the developers have fixed the most important bugs based on the information provided. So admins should update accordingly.

Anzeige

Vaultwarden supports the interface and applications of the Bitwarden alternative, but is considered faster and more resource efficient due to its implementation in Rust. There is no direct link between the two projects. MGM’s earnings report is dated June 11, but the BSI didn’t release it until Monday. According to the report, the inspected version of the Vaultwarden server application has two security vulnerabilities of medium and high criticality, which an attacker can use to compromise users and the application.

“Vaultwarden does not provide an exit process for members” who leave an organization such as a business or authority, the authors write. “This means that the master keys needed to access the data are not exchanged in this case.” As a result, the person leaving the organization, whose access should effectively be revoked, still has the cryptographic key to the organization’s data. In combination with another vulnerability, which could be used to gain unauthorized access to encrypted data of other institutions, the former member would continue to have unauthorized access to all secrets of the respective organization in clear text, including those generated subsequently.

The biggest bugs have been fixed

In addition, when changing the metadata of the configured emergency access, the authorization of the correspondingly equipped user is not checked, the testers explain. The conditions of the emergency scenario, including access level and waiting time, could then be modified via the endpoint. An attacker who was granted access to an account by an administrator in this way could then access the account data with a higher level of access. They could also shorten the waiting period set by the owner, which is 7 days by default, as needed.

“The admin dashboard is vulnerable to HTML injection attacks,” auditors also discovered. By inserting HTML tags, it is possible to modify the appearance and content of the page and, for example, integrate links to malicious pages. In certain circumstances, scripts could also be executed. Experts have requested security advisories as Common Vulnerabilities and Exposures (CVE) for the aforementioned vulnerabilities of medium or high criticality. As of August, CVE-2024-39924 via patch #4715, CVE-2024-39925 with #4837 and CVE-2024-39926 via #4737 have been fixed. There are missing scores or entries according to the Common Vulnerability Scoring System (CVSS) and the Common Platform Enumeration (CPE).

No serious vulnerabilities in KeePass

In the KeePass solution, which was also analyzed, the inspectors encountered only a few vulnerabilities classified as weak in version 2.56 (currently 2.57.1): The global auto-entry functionality thus makes it possible to automatically enter the user name and the password for any entry. in a website if the title of the home page contains that of the KeePass entry in any position. This feature could be misused by malicious site operators to steal passwords from other entries. Additionally, SSL certificate validation is ignored when importing data via Spamex. This would theoretically allow an attacker to carry out a man-in-the-middle attack. Due to a large amount of copy-and-pasted code duplication, some parts of the application also appeared “quite messy”, which should make it more difficult to respond effectively to future vulnerabilities.

The Caos collaboration project has been running since 2021, with the aim of testing the security of popular open source software and helping relevant teams write secure code. Creators notify developers in advance of any larger vulnerabilities discovered during the responsible disclosure process. As part of this initiative, BSI and MGM have already looked at video conferencing tools Jitsi and BigBlueButton as well as Mastodon and Matrix.

(vbr)