An update on the reported vulnerability of Enpass for Windows PC

A few days back, a security flaw was reported by Florian Bogner in Enpass for Windows that could have lead to a local code injection attack. This has been fixed in the version – v5.4.

Summary

A local code injection vulnerability was detected in Enpass that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system. Enpass.exe tries to find its openssl configuration from file openssl.cnf located at c:\usr\local\ssl\openssl.cnf. Because of the special ACLs of the filesystem in the c: drive, any local user can create a normally non-existing path as c:\usr\local\ssl\ which could be used to place a malicious openssl.cnf there that can load a malicious dll into the parent process, and execute arbitrary code without the user's knowledge.


Affected Version: Enpass 5.3.1 or earlier, of the traditional Windows desktop app
Tested on: Windows 7
Fix: Enpass 5.4.1 for Windows PC

What should be done?

Please update your copy of Enpass to latest 5.4.1 if not done already.

 

Comments

Bipin Paul 1 year ago

The upcoming extension will work with UWP apps or just with the Desktop version of apps.

Reply

Enpass Team 1 year ago

Hi Bipin,

The upcoming Enpass extension for Edge browser will work with the Enpass UWP app.

Reply

Bipin Paul 12 months ago

That's Great ! What about other browser extension ? Is other browser extension also going to have support for UWP?

Reply

Jeroen Evens 11 months ago

highly doubt that's possible since UWP apps are sandbox without any real option to communicate with non UWP apps
Edge support is only possible because it's an UWP app
you can always run both the UWP and desktop version of enpass tho, then you can use cortana with enpassUWP and the regular desktop app for chrome/firefox support

Reply

Ivarson 12 months ago

This is good transparency.

Reply

Jay 11 months, 2 weeks ago

Great response to remedy this problem Enpass Team!

Reply

user 11 months, 2 weeks ago

Not working with yandex browser runing on windows 10.

Reply

Enpass Team 10 months, 3 weeks ago

Hi,

Currently, Enpass doesn't support browser extension for the Yandex browser, so we can't comment what would be the possible reason that Enpass extension doesn't work with Yandex.

So we recommend you to use one of these browsers- Chrome, Firefox, Opera, Safari or Vivaldi that Enpass supports.

Reply

nske 11 months, 1 week ago

Portable version is still at v5.3.

Is this intentional?

Reply

Enpass Team 10 months, 3 weeks ago

Hi,

At the moment our dev team is focusing on bringing the Attachment support to Enpass asap. Once it's released, they will start work on the portable version and will release an update.

Reply

Hsu Chang 11 months ago

Do you have team or shared feature?
For business group or team.

Reply

Enpass Team 10 months, 3 weeks ago

Hi Hsu,

No. Right now you can create a single vault with Enpass and the feature of multi-vault is already in our road-map and will definitely come in future versions.

Reply

New Comment

Feeds

Never miss an update. Subscribe to receieve an updates whenever we post something in the blog.

RSS / Atom

Categories