The vulnerability that allowed man-in-the-middle attacks on the popular KeePass password manager is reportedly set in the new KeePass 2.34 update.
The attacker could successfully use the technique used by older versions of KeePass to check for new updates. The application did not verify the information that came from the KeePass server nor did it use a secure transport protocol to pass the update to the user's system.
So the attacker could manage the information and deliver a malicious copy of KeePass to the end user.
So it is currently recommended that you download the new version of KeePass 2.34 from the project website or from the links below and not automatically from your application.
The new KeePass 2.34 version fixes the issue of update checks by sending version information via HTTPS, and signing them digitally. So today it will accept only version information files that have a digital signature.
All KeePass executable files are signed, and it is quite easy to verify that the digital signature is correct. To verify the signature, open the KeePass directory on your system, right-click on any executable file, select Properties from the menu, and view the "digital signatures."
The signature should state "Open Source Developer, Dominik Reichl". If it does not mention it, delete the files immediately and scan your computer with a reliable antivirus.
Please note that the application is one of the few of its kind, as it stores the encrypted passwords locally rather than somewhere on the internet.
KeePass 2.34
Installer:
Portable:
Supported operating systems:
Windows 98, 98, 2000, 2003, Mono (Linux, Mac OS X, BSD,…).
Prerequisites:
Microsoft .NET Framework ≥ 2.0 (already included in Windows Vista and higher) or Mono ≥ 2.6.