The German Federal Office for Information Security (BSI), in collaboration with Munich-based MGM Security Partners, has discovered major security flaws in the password manager Vaultwarden. The recent analysis revealed vulnerabilities of high criticality, leading to recommendations for immediate software updates.
Vaultwarden is an open-source, lightweight implementation of the Bitwarden server API, written in the Rust programming language. Originally known as bitwarden_rs, it was renamed to Vaultwarden due to trademark considerations with the official Bitwarden project.
Bitwarden is an open-source password management service that allows individuals and organizations to securely store, manage, and share passwords and other sensitive information. It provides a secure vault where users can keep login credentials, credit card details, secure notes, and identities, all protected with end-to-end encryption.
Security Analysis Highlights Critical Flaws
Between February 12 and May 16, BSI and MGM conducted comprehensive static and dynamic analyses on Vaultwarden version 1.30.3. The examination uncovered two significant vulnerabilities that could allow attackers to compromise users and the application itself. In response, developers released version 1.32.0 on August 11 to address these issues. Administrators are advised to upgrade promptly to mitigate potential risks.
Key Vulnerabilities
One primary concern is the lack of an offboarding process for members who leave an organization. Without exchanging the master keys required for data access, former members retain cryptographic keys to the organization’s data. This oversight means individuals who should no longer have access can still retrieve sensitive information, including new secrets added after their departure.
Another vulnerability involves inadequate authorization checks when modifying metadata for established emergency access. Attackers could exploit this flaw to alter access levels and waiting periods, potentially gaining higher-level access to accounts and shortening the default seven-day waiting period set by account owners.
The security assessment also identified that the admin dashboard is susceptible to HTML injection attacks. By inserting HTML tags, attackers can modify the appearance and content of the page, embedding malicious links or potentially executing scripts. This vulnerability increases the risk of phishing attacks and unauthorized data manipulation.
Technical Assessments and Recommendations
The Vaultwarden server application underwent thorough code analysis using a white-box methodology, granting testers access to both the source code and running instances. The vulnerabilities identified have been documented, and three Common Vulnerabilities and Exposures (CVE) entries were requested. Due to the similarities in exploitability, a combined CVE entry was filed for certain related vulnerabilities.
Administrators using Vaultwarden should implement the latest updates to address these security issues. Version 1.32.0 includes patches that fix the vulnerabilities identified by BSI and MGM Security Partners.
KeePass Shows Fewer Issues
The researchers also analyzed the popular KeePass password manager. KeePass version 2.56 revealed only low-criticality vulnerabilities. The global auto-type feature could be manipulated by malicious website operators to capture passwords if the website title matches any part of a KeePass entry title. Additionally, when importing data via Spamex, the SSL certificate validation is skipped, which could theoretically allow man-in-the-middle attacks.
Caos Project Aims to Enhance Open-Source Security
The BSI evaluations are part of the Caos 3.0 project, an initiative launched in 2021 to examine popular open-source software for potential security weaknesses. The project aims to support development teams in writing secure code by identifying vulnerabilities and providing responsible disclosure before public release. Previous analyses have included video conferencing tools like Jitsi and BigBlueButton, as well as platforms like Mastodon and Matrix.
LastPass Breach Highlights Industry Risks
The vulnerabilities found in Vaultwarden add to growing concerns about the security of password managers. In 2022, market leader LastPass suffered a significant breach that compromised customer vault data and basic account information. The incident began when a threat actor gained access to a LastPass software engineer’s corporate laptop, leading to the theft of source code and proprietary information. The full extent of the breach was disclosed in December 2022, highlighting serious lapses in security measures and communication.
Subsequent investigations revealed that the attacker accessed a third-party cloud storage service, exfiltrating customer vault data backups and compromising encrypted customer vault data.
Last Updated on November 7, 2024 2:32 pm CET
