CVE-2024-43378
📋 TL;DR
This vulnerability exposes LUKS disk encryption keys in plain text on legacy BIOS installations with specific manual partitioning configurations. It affects NixOS users who installed via graphical installer with unencrypted / or /boot partitions while other partitions are encrypted. The encryption key file is stored unprotected in /crypto_keyfile.bin or initrd CPIO archives.
💻 Affected Systems
- calamares-nixos-extensions
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with access to encrypted data, potential privilege escalation to root, and complete loss of data confidentiality.
Likely Case
Local attacker with physical or compromised user access can extract encryption keys and access encrypted partitions.
If Mitigated
No impact if using UEFI, automatic partitioning, or proper encryption of both / and /boot partitions.
🎯 Exploit Status
Exploitation requires local access to read plaintext key files. This is a partial regression of CVE-2023-36476.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: calamares-nixos-extensions 0.3.17
Vendor Advisory: https://github.com/NixOS/calamares-nixos-extensions/security/advisories/GHSA-vfxf-gpmj-2p25
Restart Required: Yes
Instructions:
1. Update NixOS to include calamares-nixos-extensions 0.3.17 or later. 2. For affected systems, backup data and reinstall using updated installer images from NixOS 24.05 (after 2024-08-13) or unstable (after 2024-08-15). 3. Follow GHSA-3rvf-24q2-24ww mitigation if / is encrypted but /boot is not. 4. Delete /crypto_keyfile.bin if / is unencrypted.
🔧 Temporary Workarounds
Manual key file removal and reconfiguration
linuxRemove exposed key files and regenerate initrd without plaintext keys
sudo rm -f /crypto_keyfile.bin
sudo nixos-rebuild switch
🧯 If You Can't Patch
- Migrate to UEFI boot with secure boot enabled
- Reconfigure disk encryption to include both / and /boot partitions in LUKS encryption
🔍 How to Verify
Check if Vulnerable:
Check if using legacy BIOS, manual partitioning, and examine /crypto_keyfile.bin existence and initrd for plaintext keys: 'ls -la /crypto_keyfile.bin' and 'lsinitrd /boot/initrd-* | grep -i key'Check Version:
nix-env -q calamares-nixos-extensionsVerify Fix Applied:
Verify calamares-nixos-extensions version >= 0.3.17: 'nix-env -q calamares-nixos-extensions' and confirm /crypto_keyfile.bin is removed and initrd contains no plaintext keys📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to /crypto_keyfile.bin
- Unexpected reads of initrd files
Network Indicators:
- None - local attack only
SIEM Query:
file_access AND (path:"/crypto_keyfile.bin" OR path:"/boot/initrd*") AND user:!root🔗 References
- https://github.com/NixOS/calamares-nixos-extensions/pull/43
- https://github.com/NixOS/calamares-nixos-extensions/security/advisories/GHSA-3rvf-24q2-24ww
- https://github.com/NixOS/calamares-nixos-extensions/security/advisories/GHSA-vfxf-gpmj-2p25
- https://github.com/NixOS/nixpkgs/pull/331607
- https://github.com/NixOS/nixpkgs/pull/334252
