The vulnerability that allowed man-in-the-middle attacks on the popular KeePass password manager is reportedly set in the new KeePass 2.34 update.
The attacker could successfully exploit the technique used by older versions of KeePass to check for new updates. THE application it did not verify the information coming from the KeePass server or use a secure transport protocol to transmit the update to the user's system.
So the attacker could manage the information and deliver a malicious copy of KeePass to the end user.
So it is currently recommended that you download the new version of KeePass 2.34 from the project website or from the links below and not automatically from your application.
The new KeePass 2.34 version fixes the issue of update checks by sending version information via HTTPS, and signing them digitally. So today it will accept only version information files that have a digital signature.
All KeePass executable files are signed, and it is quite easy to verify that the digital signature is correct. To verify the signature, open the KeePass directory on your system, right-click on any executable file, select Properties from the menu, and view the "digital signatures."
The signature should say “Open Source Developer, Dominik Reichl". If it doesn't say so, immediately delete the files and scan your computer with a reliable antivirus.
We should mention that the application is one of the few of its kind that we prefer, as it saves them codeς πρόσβασης κρυπτογραφημένους, τοπικά και όχι κάπου στο διαnetwork.
KeePass 2.34
Installer:
Portable:
Supported operating systems:
Windows 98, 98, 2000, 2003, Mono (Linux, Mac OS X, BSD,…).
Prerequisites:
Microsoft .NET Framework ≥ 2.0 (already included in Windows Vista and higher) or Mono ≥ 2.6.
