RedTeam Pentesting, a German software security company, has reported on the security assessment of Bitwarden, a password management software. The assessment focused on decoding the database when users enable the Windows Hello feature, which allows them to unlock the database without typing the master password, using only their fingerprint or facial recognition.
The RedTeam discovered that Bitwarden utilizes the Credential Manager feature in Windows to store the decryption key after the user enters the password for the first time. This feature encrypts the data within using the user’s password and also backs up the key to the domain controller. Microsoft designed this approach to allow users who forget their passwords to recover the database from Credential Manager, even after changing the password. Consequently, if an attacker gains access to the domain controller and the victim’s device, they can successfully decrypt the database stored in Bitwarden.
RedTeam notified both Microsoft and Bitwarden of this attack vector. Microsoft stated that the software was functioning as intended, although Bitwarden acknowledged that even with access to the user’s device, an attacker should not be able to decrypt the database. As a solution, Bitwarden released update 2023.4.0, which utilizes the KeyCredentialManager API in Windows, preventing decryption unless the user has truly verified their identity using Windows Hello. While RedTeam believes this is a valid fix, further testing is required to confirm if any additional vulnerabilities exist.
Exploiting this vulnerability may prove difficult since the attacker needs to gain access to the victim’s device first. However, CVE-2023-27706, the assigned Common Vulnerabilities and Exposures number, rates this vulnerability with a CVSSv3.1 score of 7.1, indicating a highly severe vulnerability.
Source: RedTeam Pentesting
TLDR: RedTeam Pentesting reported a security assessment on Bitwarden, a password management software. The assessment revealed a vulnerability that allows attackers who have access to the victim’s device and the domain controller to decrypt the Bitwarden database. Bitwarden addressed the issue with an update that requires proper verification of the user’s identity through Windows Hello. Although difficult to exploit, the vulnerability is rated with a CVSSv3.1 score of 7.1.
Leave a Comment