CVE-2020-16271 – This vulnerability in KeePassRPC's SRP-6a imple... (How to Fix)

Q: What is the severity of CVE-2020-16271?

CVE-2020-16271 has a CVSS score of 9.1 (CRITICAL). This vulnerability in KeePassRPC's SRP-6a implementation generates insufficiently random numbers, allowing remote attackers to read and modify KeePass database contents via WebSocket connections. It affects KeePassRPC versions before 1.12.0 when used with Kee Vault or similar integrations. Users who have KeePassRPC enabled and exposed to untrusted networks are at risk.

📋 TL;DR

This vulnerability in KeePassRPC's SRP-6a implementation generates insufficiently random numbers, allowing remote attackers to read and modify KeePass database contents via WebSocket connections. It affects KeePassRPC versions before 1.12.0 when used with Kee Vault or similar integrations. Users who have KeePassRPC enabled and exposed to untrusted networks are at risk.

💻 Affected Systems

Products:

KeePassRPC
Kee Vault

Versions: All versions before 1.12.0

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires KeePassRPC plugin to be installed and enabled in KeePass. The vulnerability is in the SRP-6a implementation used for authentication.

📦 What is this software?

Keepassrpc by Kee

View all CVEs affecting Keepassrpc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of KeePass password database, allowing attackers to steal all stored credentials, modify passwords, and potentially gain access to all protected accounts and systems.

🟠

Likely Case

Attackers with network access to the KeePassRPC WebSocket interface can extract passwords and modify database contents, leading to credential theft and potential account takeovers.

🟢

If Mitigated

With proper network segmentation and KeePassRPC disabled, impact is limited to local attacks requiring physical or malware-based access to the system.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to the KeePassRPC WebSocket interface (default port 12546). Public exploit code and detailed analysis are available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.12.0 and later

Vendor Advisory: https://forum.kee.pm/t/a-critical-security-update-for-keepassrpc-is-available/3040

Restart Required: Yes

Instructions:

1. Update KeePassRPC plugin to version 1.12.0 or later. 2. Restart KeePass. 3. Verify the plugin version in KeePass Tools → Plugins.

🔧 Temporary Workarounds

Disable KeePassRPC

all

Completely disable the KeePassRPC plugin to eliminate the attack surface

In KeePass: Tools → Plugins → Select KeePassRPC → Disable

Block WebSocket Port

all

Block network access to KeePassRPC WebSocket interface

Windows: netsh advfirewall firewall add rule name="Block KeePassRPC" dir=in action=block protocol=TCP localport=12546
Linux: sudo iptables -A INPUT -p tcp --dport 12546 -j DROP

🧯 If You Can't Patch

Disable KeePassRPC plugin immediately
Implement strict network segmentation to isolate systems running vulnerable KeePassRPC versions

🔍 How to Verify

Check if Vulnerable:

Check KeePassRPC plugin version in KeePass: Tools → Plugins → KeePassRPC → Version. If version is below 1.12.0, you are vulnerable.

Check Version:

In KeePass: Tools → Plugins → Select KeePassRPC → Version

Verify Fix Applied:

Verify KeePassRPC plugin version is 1.12.0 or higher in KeePass Tools → Plugins.

📡 Detection & Monitoring

Log Indicators:

Unusual WebSocket connections to port 12546
Multiple failed authentication attempts to KeePassRPC
Unexpected KeePass database access or modification events

Network Indicators:

External connections to TCP port 12546
WebSocket traffic to KeePassRPC endpoint from untrusted sources
Unusual network patterns to/from systems running KeePass

SIEM Query:

source_port=12546 OR dest_port=12546 OR process_name="KeePass" AND event_type="authentication_failure"

📊 Metadata

CVE ID: CVE-2020-16271

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-330

Published: August 3, 2020

Last Updated: November 21, 2024

🔗 References

https://danzinger.wien/exploiting-keepassrpc/ Exploit,Third Party Advisory
https://forum.kee.pm/t/a-critical-security-update-for-keepassrpc-is-available/3040 Vendor Advisory
https://danzinger.wien/exploiting-keepassrpc/ Exploit,Third Party Advisory
https://forum.kee.pm/t/a-critical-security-update-for-keepassrpc-is-available/3040 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-16271, you might also want to check these: