Security Advisory - Use of hardcoded cryptographic settings by default in the LimeSurvey NixOS module

tgerbet · June 29, 2024, 9:28pm

Description

The LimeSurvey NixOS module used hardcoded cryptographic settings as default values.
Anyone with an access to the database used by LimeSurvey, or a dump
of it, can decrypt the encrypted database entries.

Am I affected?

You are affected if you are using NixOS 24.05, 23.11 or unstable and
you did not set custom values for the services.limesurvey.encryptionKey
and services.limesurvey.encryptionNonce settings.

Recommended action

Existing deployments will require manual actions to resolve this situation.

LimeSurvey does not offer an easy way to rotate the encryption key.
To set a new key, you will first need to turn off encryption.
This can be done in the administration panel:

Central Participant Database: Navigate to Configuration → Central participant management → Attributes and switch the encrypted fields to Off.
Surveys: If you activated encryption on some attributes, the easiest way is to export an archive so you can re-import them after the upgrade.

More information about encryption settings can be found in the LimeSurvey manual.

Once you are ready to perform the upgrade, set the following settings:

services.limesurvey.encryptionKeyFile: path to a file containing a 32-character uppercase hex string.
services.limesurvey.encryptionNonce: path to a file containing a 24-character uppercase hex string.

After upgrading, you can re-activate the encryption settings you disabled in the previous step.

Fix Availability

A fix removing the hardcoded default settings has been merged for all affected NixOS releases.
This change is backward-incompatible for affected configurations, requiring manual actions to
set new encryption settings and manage existing data.