Skip to content

calamares-nixos-extensions LUKS keyfile exposure regression on legacy BIOS systems

High
ElvishJerricco published GHSA-vfxf-gpmj-2p25 Aug 15, 2024

Package

Graphical Calamares Installer (NixOS)

Affected versions

≤0.3.16

Patched versions

0.3.17

Description

Impact

Users who installed NixOS through the graphical installer who used manual disk partitioning to create a setup where all of the following are true:

  • the system was booted via legacy BIOS rather than UEFI; and
  • some disk partitions are encrypted; but
  • the partitions containing either / or /boot are unencrypted

have their LUKS disk encryption key file in plain text either in /crypto_keyfile.bin, or in a CPIO archive attached to their NixOS initrd.

nixos-install is not affected, nor are UEFI installations, nor was the default automatic partitioning configuration on legacy BIOS systems.

Patches

The problem has been fixed in calamares-nixos-extensions 0.3.17 via #43, which was included in NixOS via NixOS/nixpkgs#331607 and NixOS/nixpkgs#334252. The current installer images for the NixOS 24.05 and unstable (24.11) channels are unaffected. The fix reached 24.05 at 2024-08-13 20:06:59 UTC, and unstable at 2024-08-15 09:00:20 UTC. Installer images downloaded before those times may be vulnerable.

Workarounds

The best solution for affected users is probably to back up their data and do a complete reinstallation. However, the mitigation procedure in GHSA-3rvf-24q2-24ww should work solely for the case where / is encrypted but /boot is not. If / is unencrypted, then the /crypto_keyfile.bin file will need to be deleted and the boot.initrd.luks.devices.*.keyFile options removed in addition to the remediation steps in the previous advisory.

References

This is a partial regression of CVE-2023-36476 / GHSA-3rvf-24q2-24ww, which was more severe as it applied to the default configuration on BIOS systems.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

CVE ID

CVE-2024-43378

Weaknesses

Credits