To Customer Support To Customer Support

KeePass update check MitM flaw can lead to malicious downloads

  • 2 June 2016
  • 3 replies
  • 307 views
Jasper_The_Rasper
Rank
Userlevel 7
Badge +54
Zeljka Zorz - June 2, 2016
 
Open source password manager KeePass sports a MitM vulnerability that could allow attackers to trick users into downloading malware disguised as a software update, security researcher Florian Bogner warns.
 
All versions of KeePass, including the latest, are vulnerable. The team developing the software is aware of the flaw (CVE-2016-5119), but they currently have no intention of fixing it.
 

 
Full Article

3 replies

Baldrick
Rank
Userlevel 7
Hi Jasper, thanks for the heads up on that one...another case of the vulnerability being known of by the developer but there is no intention of fixing it...:S
Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
Nemo
Rank
Userlevel 7
Badge +34
Thanks for the info Jasper.
 
As a KeePass user it is a bit worrying but the article is very helpful in providing users with a secure download option and reminding us to check the digital certificate once downloaded. A quick check on VirusTotal doesn't go amiss either!
 
It has at least reminded me to update to the latest version.
Jasper_The_Rasper
Rank
Userlevel 7
Badge +54

Flaw allows for MitM attacks during KeePass' update process

 Jun 5, 2016 21:00 GMT  ·  By Catalin Cimpanu  The developer of the KeePass password manager has intentionally declined to fix a security flaw that allows for MitM (Man-in-the-Middle) attacks on the app's update process.
 
Back in February, Florian Bogner, a developer for Kapsch BusinessCom, discovered that all KeePass 2.x versions featured an insecure update mechanism that asked the KeePass servers for new releases via an insecure HTTP connection.
 


Full Article

Reply


Terms & Conditions

© 2004 - Webroot Inc.

We have recently updated our Privacy Policies. We encourage you to read the full terms here.