Password manager: BSI reports critical vulnerabilities in Vaultwarden

Together with the Munich-based company MGM Security Partners, the German Federal Office for Information Security (BSI) has tested two password managers for possible defects as part of the project to analyze the code of open source software (Caos 3.0). The testers were particularly impressed by Vaultwarden. The experts identified two security vulnerabilities in the password storage solution and rated them as "high". The investigations, which took place between February and May, related to version 1.30.3. With version 1.32.0 from August 11, the developers fixed the most important bugs based on the information provided. Administrators should therefore update accordingly.

Vaultwarden supports the frontend and applications of the alternative Bitwarden, but is considered faster and more resource-efficient due to its implementation in Rust. There is no direct connection between the two projects. The results report from MGM dates back to June 11, but the BSI only published it on Monday. According to the report, the inspected version of the Vaultwarden server application has two security vulnerabilities of medium and high criticality, which an attacker can use to compromise users and the application.

"Vaultwarden does not provide an offboarding process for members" who leave an organization such as a company or authority, the authors write. "This means that the master keys required for data access are not exchanged in this case." As a result, the person leaving the organization, whose access should actually be revoked, still has the cryptographic key to the organization's data. In combination with a further vulnerability, which could be used to gain unauthorized access to encrypted data from other institutions, the former member would continue to have unauthorized access to all – secrets of the respective organization in plain text, including those generated later.

The biggest bugs have been fixed

In addition, when changing the metadata of emergency access set up, the authorization of the correspondingly equipped user is not checked, the testers explain. The conditions for the emergency scenario, including the access level and the waiting time, could be subsequently changed via the endpoint. An attacker who has been granted access to an account by an admin in this way would then be able to access the account's data with a higher access level. They could also shorten the waiting time set by the owner, which is 7 days by default, as required.

"The admin dashboard is vulnerable to HTML injection attacks," the auditors also discovered. By inserting HTML tags, it is possible to change the appearance and content of the page and, for example, embed links to malicious pages. Under certain circumstances, scripts could also be executed. The experts requested security advisories as CVEs (Common Vulnerabilities and Exposures) for the aforementioned vulnerabilities of medium or high criticality. Since August, CVE-2024-39924 via patch #4715, CVE-2024-39925 with #4837 and CVE-2024-39926 via #4737 have been fixed. Ratings or entries according to the Common Vulnerability Scoring System (CVSS) and Common Platform Enumeration (CPE) are missing.

No serious vulnerabilities in KeePass

In the KeePass solution, which was also analyzed, the inspectors only came across several vulnerabilities classified as low in version 2.56 (currently 2.57.1): The global auto-type feature thus allows the user name and password of any entry to be automatically entered into a website if the title of the homepage contains that of the KeePass entry in any position. This function could be misused by malicious site operators to steal passwords from other entries. In addition, the validation of the SSL certificate is skipped when importing data via Spamex. This would theoretically allow an attacker to carry out a man-in-the-middle attack. Due to a large amount of copy-paste code duplication, parts of the application also appeared "quite untidy", which should make it more difficult to respond effectively to future vulnerabilities.

The Caos collaboration project has been running since 2021, with the aim of testing the security of popular open-source software and helping the relevant teams to write secure code. The creators inform the developers in advance of any more extensive vulnerabilities discovered in the responsible disclosure process. As part of the initiative, BSI and MGM have already examined the video conferencing tools Jitsi and BigBlueButton as well as Mastodon and Matrix.

(vbr)