Impact
Users who installed NixOS through the graphical installer who used manual disk partitioning to create a setup where all of the following are true:
- the system was booted via legacy BIOS rather than UEFI; and
- some disk partitions are encrypted; but
- the partitions containing either
/
or /boot
are unencrypted
have their LUKS disk encryption key file in plain text either in /crypto_keyfile.bin
, or in a CPIO archive attached to their NixOS initrd.
nixos-install
is not affected, nor are UEFI installations, nor was the default automatic partitioning configuration on legacy BIOS systems.
Patches
The problem has been fixed in calamares-nixos-extensions 0.3.17 via #43, which was included in NixOS via NixOS/nixpkgs#331607 and NixOS/nixpkgs#334252. The current installer images for the NixOS 24.05 and unstable (24.11) channels are unaffected. The fix reached 24.05 at 2024-08-13 20:06:59 UTC, and unstable at 2024-08-15 09:00:20 UTC. Installer images downloaded before those times may be vulnerable.
Workarounds
The best solution for affected users is probably to back up their data and do a complete reinstallation. However, the mitigation procedure in GHSA-3rvf-24q2-24ww should work solely for the case where /
is encrypted but /boot
is not. If /
is unencrypted, then the /crypto_keyfile.bin
file will need to be deleted and the boot.initrd.luks.devices.*.keyFile
options removed in addition to the remediation steps in the previous advisory.
References
This is a partial regression of CVE-2023-36476 / GHSA-3rvf-24q2-24ww, which was more severe as it applied to the default configuration on BIOS systems.
Impact
Users who installed NixOS through the graphical installer who used manual disk partitioning to create a setup where all of the following are true:
/
or/boot
are unencryptedhave their LUKS disk encryption key file in plain text either in
/crypto_keyfile.bin
, or in a CPIO archive attached to their NixOS initrd.nixos-install
is not affected, nor are UEFI installations, nor was the default automatic partitioning configuration on legacy BIOS systems.Patches
The problem has been fixed in calamares-nixos-extensions 0.3.17 via #43, which was included in NixOS via NixOS/nixpkgs#331607 and NixOS/nixpkgs#334252. The current installer images for the NixOS 24.05 and unstable (24.11) channels are unaffected. The fix reached 24.05 at 2024-08-13 20:06:59 UTC, and unstable at 2024-08-15 09:00:20 UTC. Installer images downloaded before those times may be vulnerable.
Workarounds
The best solution for affected users is probably to back up their data and do a complete reinstallation. However, the mitigation procedure in GHSA-3rvf-24q2-24ww should work solely for the case where
/
is encrypted but/boot
is not. If/
is unencrypted, then the/crypto_keyfile.bin
file will need to be deleted and theboot.initrd.luks.devices.*.keyFile
options removed in addition to the remediation steps in the previous advisory.References
This is a partial regression of CVE-2023-36476 / GHSA-3rvf-24q2-24ww, which was more severe as it applied to the default configuration on BIOS systems.