Security advisory: Graphical installer disk encryption bug regression on legacy BIOS systems using manual partitioning (CVE-2024-43378 / GHSA-vfxf-gpmj-2p25)

We have released the CVE-2024-43378 / GHSA-vfxf-gpmj-2p25 advisory about a disk encryption bug regression in the NixOS graphical installer under specific configurations.

Impact

Users who installed NixOS through the graphical installer who used manual disk partitioning to create a setup where all of the following are true:

• the system was booted via legacy BIOS rather than UEFI; and
• some disk partitions are encrypted; but
• the partitions containing either / or /boot are unencrypted

have their LUKS disk encryption key file in plain text either in /crypto_keyfile.bin, or in a CPIO archive attached to their NixOS initrd.

nixos-install is not affected, nor are UEFI installations, nor was the default automatic partitioning configuration on legacy BIOS systems.

Patches

The problem has been fixed in calamares-nixos-extensions 0.3.17 via #43, which was included in NixOS via NixOS/nixpkgs#331607 and NixOS/nixpkgs#334252. The current installer images for the NixOS 24.05 and unstable (24.11) channels are unaffected. The fix reached 24.05 at 2024-08-13 20:06:59 UTC, and unstable at 2024-08-15 09:00:20 UTC. Installer images downloaded before those times may be vulnerable.

Workarounds

The best solution for affected users is probably to back up their data and do a complete reinstallation. However, the mitigation procedure in GHSA-3rvf-24q2-24ww should work solely for the case where / is encrypted but /boot is not. If / is unencrypted, then the /crypto_keyfile.bin file will need to be deleted and the boot.initrd.luks.devices.*.keyFile options removed in addition to the remediation steps in the previous advisory.

References

This is a partial regression of CVE-2023-36476 / GHSA-3rvf-24q2-24ww, which was more severe as it applied to the default configuration on BIOS systems.

How can I tell whether my system is affected? Is nix-shell -p binwalk --run "binwalk /boot/EFI/nixos/*.efi | grep -i cpio | grep -i crypto_keyfile.bin" mentioned for CVE-2023-36476 indicative for CVE-2024-43378, too?

I didn’t manage to think of a good automated solution to check in time for the disclosure. The best way would just be to assess whether the “Impact” section applies to you. You can check how your system boots and what your partition layout is (and of course hopefully you remember if you used the graphical installer). /proc/mounts, lsblk, and cryptsetup may be helpful for determining this. Mentions of crypto_keyfile.bin in your configuration are also indicative (but not proof positive – the default setup is not vulnerable, for instance).

If you use UEFI or didn’t manually set up encrypted partitions with the graphical installer then you’re not vulnerable (unless it’s a hold‐over from an unfixed setup that the previous advisory applied to).

If your / file system is unencrypted, then you could be affected if you see a /crypto_keyfile.bin file. If your /boot is unencrypted, then you could be affected if nix-shell -p dracut --run "lsinitrd $INITRD | grep crypto_keyfile.bin" (where $INITRD is any of the initrd files in /boot) prints any output. You can know if a file system is encrypted by checking if its block device is a crypt type device in lsblk.