Impact
Users who installed NixOS through the graphical installer who used manual disk partitioning to create a setup where all of the following are true:
- the system was booted via legacy BIOS rather than UEFI; and
- some disk partitions are encrypted; but
- the partitions containing either
/ or /boot are unencrypted
have their LUKS disk encryption key file in plain text either in /crypto_keyfile.bin, or in a CPIO archive attached to their NixOS initrd.
nixos-install is not affected, nor are UEFI installations, nor was the default automatic partitioning configuration on legacy BIOS systems.
Patches
The problem has been fixed in calamares-nixos-extensions 0.3.17 via #43, which was included in NixOS via NixOS/nixpkgs#331607 and NixOS/nixpkgs#334252. The current installer images for the NixOS 24.05 and unstable (24.11) channels are unaffected. The fix reached 24.05 at 2024-08-13 20:06:59 UTC, and unstable at 2024-08-15 09:00:20 UTC. Installer images downloaded before those times may be vulnerable.
Workarounds
The best solution for affected users is probably to back up their data and do a complete reinstallation. However, the mitigation procedure in GHSA-3rvf-24q2-24ww should work solely for the case where / is encrypted but /boot is not. If / is unencrypted, then the /crypto_keyfile.bin file will need to be deleted and the boot.initrd.luks.devices.*.keyFile options removed in addition to the remediation steps in the previous advisory.
References
This is a partial regression of CVE-2023-36476 / GHSA-3rvf-24q2-24ww, which was more severe as it applied to the default configuration on BIOS systems.
Nintorac Finder
septem9er Reporter
vlinkz Remediation developer
ElvishJerricco Remediation developer
emilazy Coordinator
Impact
Users who installed NixOS through the graphical installer who used manual disk partitioning to create a setup where all of the following are true:
/or/bootare unencryptedhave their LUKS disk encryption key file in plain text either in
/crypto_keyfile.bin, or in a CPIO archive attached to their NixOS initrd.nixos-installis not affected, nor are UEFI installations, nor was the default automatic partitioning configuration on legacy BIOS systems.Patches
The problem has been fixed in calamares-nixos-extensions 0.3.17 via #43, which was included in NixOS via NixOS/nixpkgs#331607 and NixOS/nixpkgs#334252. The current installer images for the NixOS 24.05 and unstable (24.11) channels are unaffected. The fix reached 24.05 at 2024-08-13 20:06:59 UTC, and unstable at 2024-08-15 09:00:20 UTC. Installer images downloaded before those times may be vulnerable.
Workarounds
The best solution for affected users is probably to back up their data and do a complete reinstallation. However, the mitigation procedure in GHSA-3rvf-24q2-24ww should work solely for the case where
/is encrypted but/bootis not. If/is unencrypted, then the/crypto_keyfile.binfile will need to be deleted and theboot.initrd.luks.devices.*.keyFileoptions removed in addition to the remediation steps in the previous advisory.References
This is a partial regression of CVE-2023-36476 / GHSA-3rvf-24q2-24ww, which was more severe as it applied to the default configuration on BIOS systems.